## Summary
There is a vulnerability in IBM Java Runtime Environment, Versions 6 and 7 that are used by Rational Publishing Engine.
## Vulnerability Details
**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.7
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.7
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.1
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)
**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)
**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)
**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)
**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)
**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
## Affected Products and Versions
Rational Publishing Engine 1.3
Rational Publishing Engine 2.0
Rational Publishing Engine 2.0.1
Rational Publishing Engine 2.1.0
Rational Publishing Engine 2.1.1
Rational Publishing Engine 2.1.2
## Remediation/Fixes
Upgrade the IBM Java Runtime environment used with Rational Publishing Engine to version 7.1.4.5, which can be downloaded from Fix Central Link: [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-7.1SR4FP5&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-7.1SR4FP5&source=SAR>)
## Workarounds and Mitigations
None
##
{"id": "0735E5DF8767B7D5408C2020CA8A0D290D4854ED84163C7660D4BD72A22FA095", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Publishing Engine", "description": "## Summary\n\nThere is a vulnerability in IBM Java Runtime Environment, Versions 6 and 7 that are used by Rational Publishing Engine.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nRational Publishing Engine 1.3 \nRational Publishing Engine 2.0 \nRational Publishing Engine 2.0.1 \nRational Publishing Engine 2.1.0 \nRational Publishing Engine 2.1.1 \nRational Publishing Engine 2.1.2\n\n## Remediation/Fixes\n\nUpgrade the IBM Java Runtime environment used with Rational Publishing Engine to version 7.1.4.5, which can be downloaded from Fix Central Link: [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-7.1SR4FP5&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-7.1SR4FP5&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2018-06-17T05:22:10", "modified": "2018-06-17T05:22:10", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.ibm.com/support/pages/node/562597", "reporter": "IBM", "references": [], "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "immutableFields": [], "lastseen": "2023-02-21T05:48:27", "viewCount": 21, "enchantments": {"dependencies": {"references": [{"type": "aix", "idList": ["JAVA_APR2017_ADVISORY.ASC"]}, {"type": "amazon", "idList": ["ALAS-2017-827", "ALAS-2017-835", "ALAS-2018-1114", "ALAS-2018-1115", "ALAS-2018-1116", "ALAS2-2019-1193"]}, {"type": "androidsecurity", "idList": ["ANDROID:2017-07-01"]}, {"type": "apple", "idList": ["APPLE:064D138B51FD5A1569959D1A78DD6E63", "APPLE:5E58B6737BAA8A942A7E8E20FE61FF82", "APPLE:B6838750CA6086B150DDD58EB8FAE22A", "APPLE:DF08A53F8B130AC7A8FE4C422F2002C9", "APPLE:HT208112", "APPLE:HT208113", "APPLE:HT208115", "APPLE:HT208144"]}, {"type": "archlinux", "idList": ["ASA-201708-8"]}, {"type": "centos", "idList": ["CESA-2017:1108", "CESA-2017:1109", "CESA-2017:1204"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:B80D5A9EB298D5042EE6C3A994BCD562", "CFOUNDRY:FE41CC36D8C9E189530E5F57AD3476B7"]}, {"type": "cve", "idList": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1725-1:318DA", "DEBIAN:DLA-2085-1:566B5", "DEBIAN:DLA-954-1:B7896", "DEBIAN:DLA-954-1:CA919", "DEBIAN:DSA-3858-1:50A8A"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-9840", "DEBIANCVE:CVE-2016-9841", "DEBIANCVE:CVE-2016-9842", "DEBIANCVE:CVE-2016-9843", "DEBIANCVE:CVE-2017-3509", "DEBIANCVE:CVE-2017-3511", "DEBIANCVE:CVE-2017-3512", "DEBIANCVE:CVE-2017-3514", "DEBIANCVE:CVE-2017-3526", "DEBIANCVE:CVE-2017-3533", "DEBIANCVE:CVE-2017-3539", "DEBIANCVE:CVE-2017-3544"]}, {"type": "f5", "idList": ["F5:K74843522"]}, {"type": "fedora", "idList": ["FEDORA:10CA0613BB06", "FEDORA:74903605DFC6", "FEDORA:78BBA6046256", "FEDORA:C4AB56030B10"]}, {"type": "freebsd", "idList": ["085399AB-DFD7-11EA-96E4-80EE73BC7B66", "EC5072B0-D43A-11E8-A6D2-B499BAEBFEAF"]}, {"type": "gentoo", "idList": ["GLSA-201701-56", "GLSA-201705-03", "GLSA-201707-01", "GLSA-202007-54"]}, {"type": "ibm", "idList": ["01EE77817A78D0C904C8FA3B27B6F25F6332EF7526FE1F3ACDAC4D9E2FDD8B50", "0523FF3F956DB287969101421EBAC9414833A03BB2D6A69218EF5788A0017EF7", "0934C1352C5406475AA8AB9609B9D4DCFCFF7F2AEDF9E98A07D0478988A7A0A6", "0996E84BFC5E3EC26E537325BCB350D80023428342C546266DC1EF3BC260F1AF", "0BB0F39865741AB9E1AFB9CA3C5508F7FB9BEACECB805F04C6C6B336AA66617E", "0D7CE580D8B5614D0C975628EDBFFDD00B17EB3423C67E7E92DE8DB0AA9A8E9C", "13B56D8C0FB1D8138F3B83A754F566044FC0E8E777475654B6FB56B4D638D131", "153C8B988C1EC44C13B0535341913C2F66090DDDFC18D3C49268B9CA9BFFB899", "178BA37EC0E384C071E3C2ABDC8AA2080AA024B08ACEC18B79D283DF4E354DE2", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "1C8642514B80CD34963C6F71980044917E14636767959F77FE5B38BC3F0358D3", "21A707C4F4B958B1A4DB1ECF43E1ADC42D7405642B0C5DE65B99CFB5B62AAD83", "24BEC163EA3BD84B7E22E782C3DC394F6DF7C93AF1345B97BF7B378DB6C0978E", "24DAFBFC704DF036BD88547549D53246A0E5C8C91EC9C81B29460EAACF601397", "24DFABA5B2EC0AE6CB408AFF790D7F41BC7385C13B55076C79F5992C78869191", "2CE5E1CBE3AFA84EF6B6144C280719D2B5CB99A981541A17994F64EECC23CFE7", "2DB2D30E9FA2A40CC9322C25F77FD4A65A394FEF238C4AF4674C0AFEF9003394", "2E9BC1AFBA9F34E20E313BA5B8B5B6C1AEEC0E8F6EC0B353125AA17460789A62", "2F9B8E7CD04F88375E7DA644A637018DCE889D492AB253B36AAC20CA2B0659B3", "31028229FDC1BB19DF989803B4A864D39E803812D894CCF9E11C53D6714A6D33", "31C5C404B579DE2227E0BA22189AEC840F35342C712186B73BB644D9F2A56FB6", "31CE758E4CAEC8E3CF50284009624A075DC3EF2C6C68F39AC01EBA9D5FEFB150", "3276133560FCE4A64E2C5D5F2CAD2023D886DD4CE502EBDAC4AD25EBEE86FDF7", "338AB08D090BA2BDA32CC469B5B114EB53839D2991DDD8A50E966F33D52E1318", "33998453A003DBEE91ADD9693A86AFA03B4197141BC03C7326ABC834DD122179", "341536E53F57185EA75D10127E60326F447DC0CEB3BD2529556523EE0CA51597", "36EAF692C244B6A8DC011E8C8A1978CD6EAB40CEB6194282C8F5C8D043B8FA10", "3A4D3909E3A9EE18836DC0F306D40EB87FFA7017ECE70FC77F1C5A9C294136C7", "3B4D9762AA479CE188258F40949BE22DE86F8C47756DB336AEFB349CD96BFE2E", "3D812A2E5E1DE6B82054618E3EBB76C91CE2365FE982C3392DE97D4AEC269290", "3F639035BAB0EB875C9E9E808512F3E2A87A86BDD91C548658A2E7907F9A7846", "411DE209066A00259E38D292C22264C2EDA3B961B523920D589433F42FB534BC", "41C019C27E83367E1309CC899EDA5641CABE549BB8A909D27A7A1FA00F16D22A", "41F5CD2E8E0BA41C7BAE3BBD46EBA2066E860D2EF69271DEDF12577C4F5E3643", "42B553A5257DBCE0553E09359217D9B58850595C4F83DD12BEB3762A7D09FF2D", "44FD06DF739AE850EF4B0FD8EDFD9F3CA1D49EF6D12D841D2F929127DE9A82D8", "45E5270A35561019D33445AEB6511C121125D7384B2D125E5311025EA1608937", "461662A0D7B6C6ADC5E69E9AA593242F3080CDAB2607110F7C6F6EE0B046693B", "48F6739F6BA353EFB9A079F6AE9CA6021594BD67D81B0874FE486205EA6D86BB", "4C98F5463E3FBB67682E7F864F699DD4A99514832D6E44999F6672401F35C8B0", "4CB34725F1E54FB000F6F431C0E55F2FC9A5C31FD2A568506AABE35E44D674CD", "4E6CB74FB7D203CB1C470A05E770CBD3E765AE50F7B3C4E134920903F84E879E", "5044E5293B9754C69B0891B3588C7B4821905631CB104EB9A444E8BFACEE0DDE", "5603AD7C25C6F160A42CCD8CEC5CDE69A6C67D9EC380BE4F18A3ACC290E6DBF2", "57AD0C0FC8A00BEEF6E1F3C8A1E152181FB65DFF630150E0DA7D2BBD63A52DB2", "58C6A5B7FE529FFF1B898E31F7813BD28B38F5BEAF4FB8FE19F8F81EDDD2312D", "5C95F7FD81C7277396C5C8C67CBF1E290A8317D7AB2457C78D03EDAD50E3812E", "66E34F1F1268555AFF621DE0835CB61B63CC9DC4AC6ADFFFA92F33FAFD7C7E93", "69A71DCA3AF973A137F5D03A63EFCFA24982B8766B86345D1914AF5B3BF502FB", "6C5CA7A0756525376C7822618AC97C4C45E220AEABF472D45F8EB40E1DAA2ECD", "6E5ACAAA594D5B30F4A0241CB07E326AB3CC89FE97CBA1EA1DF5ED319579CFCE", "701FCAB3C800D9AB919F50251A3540E3B87060D18EDCC6A9FF0C96423F3804E0", "7D7C2F7950E4FCA765164EC739C1CE4D46C2BCAFE840312CE4E8D2D5364FD1D4", "7DA5BADAAAA106517C7E1A9DDFA3F2D244D760EB8E77D5BF4DA6A21044F50912", "7DACD7AD119F4C02BE8E348A825A95D29FB20A6CDC3339C32FB6C2A162C3E51D", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7EB6563742B3C75E58E076FD31B14932767B06B0A1B48E8542A935E9610AB46A", "8451DCEAC7362310C8EAA923574AFEAD09CA58D139A870AE0ED1E3D11764573B", "897BD3B4F1AAC6EED08738625EBD9E80E8717A8D987B96413DF479B6723EAE04", "8A273EC5B4E0D267BF1325C598530568659C444C274158543E88B980E7356184", "8A3D1FB34A9203E75C1042FBE52CBB4D2871AD957405E4A8E5787376E2F41ED4", "8D3956B91BC1A4130CF4694F32CFB0D3E54127B086F2B460888432C4B1F84573", "93E146998B94EC264E33E7B36FD946A69450033DA52EBD726834D95E2F65C29E", "94FF15F4CEB8D11B7666B8AFF3070BE1F4E4E0649D2F9A37EBD396AE7B23A41F", "9765CC2CD4E8CF43C86EE7859F7012EB2A38E6A4A80E55865CD6E4E883D3188A", "98F6490D4B8AE15246447D15D378CC7551E1EE4AAF47318A1862E455782A2AA6", "99807FBC1D75A9213BB9ADAC0519BB4BBC77F3C7576E4567F0A4791564E0A87E", "9D5C6948790D2C90992E7F26289F7E265F2C141C7D2D2996AA873FB44EE49003", "9F3B15A9AE7651159C837CFA956A8CC8AD21BC8222D78C6F0BBC6EACD0C01634", "A4142870A39B0F226F82E5AEE05D20C19851EA1E7A0767EB642339BDFF0A751F", "AB16D59166D1E661BC9F07DD00DB91EA992CF9EB559AF946D681F598F2C3DE4F", "ADC40C69949A3E45DE7D3CD6F77443003EA61DEFE08BECAF5A431BAF9DFF8DD9", "B1A835A1BCC7B5F6A6EA0ADF04339FBA6F8EC1EEB1826B568A75F561BE759989", "B68450B1EB714756EB8BE1D4F397B1F86638FA9791DF2B06FD41B6BA751DAF04", "B7E9CE33A8766104CBF43CF1EF0D10747A799C0A2ADF534A80658077B861D8FA", "BD4C63A93429375B791F3BF7562B3181FD456BF91F372B012A7A6D8A6F541729", "BD8DD3308D253EE956C5F6A4D941A50CF207AE66C6870CF76C4D8043AF0AE082", "BDB68322792FE935682E65B2596DAC7308975002E4EFB6D3963AF5A2A4181B36", "C08BEDBE71DAA9B9A88FDFC58D2706BE418A87F47EC900A5D7E3845527E872FD", "C1D9958BFA579EE98300BDC2B103453D56B7C17B363EDA27E5C73DA50175B526", "C1DE62607E696F3135AA44A9ED964385998509307175EDF6F47BDAEC9E4F6C06", "C31436DA6C1FDD78E2ECB68688AFD20C432119CDF718A53729D0F429AE0174AA", "C5B8B714A39DBA79950E9B28AB3C1EEC4C7FF1F3263A9034E3BCC6CAC06EB5D2", "C6771A870A37ADA11D50A5F13962E90868941CD1B5E16CAD1FC321B24791BB0D", "C78E313156769242854AA6E673C6EC4AC033D53D999E2BFD8BB6310088D89BA1", "CC37D743879D353458C1878FA8E2AB682D874D3B8E3BA1673A273FA4E6C58F25", "CD802469E7091F3B4C36A2C1558796086B9FF4A18435BCFD596F5D926EE2CF18", "CF2BF653951F57AA7BCC09D12353C414FBEE64EB71182AEEB1BD9B590AD53FF1", "D10421D7D1285363DA6D326EF8ACED205647EB70C8DDF983BECB3305C749C9B3", "D4EC41C1DDA9994055224C91C7DA50655F0C93233B56D658A145905669252192", "DA926E77C4AAAA7446A27EBC821CFD93655B33A5BF275B42880DD6668140359A", "DB88427B9B30E7BC27929575B10F1309F406508317076AB2CB83FCDD79124D3A", "DBD29332B6E297F25422EB8C28791AE3DD704B7B9FDB714ACE7016CEEC63D122", "DFBF8270196E2043086B670889FD4B25491E875B01506321C770B6282C5BD9F4", "E0253E0BCD2010E2BAB349C52FFCF23EDBB59CE53A5DADB8EB1D97663DFA2A6D", "E9F8D8D5FB66C431AFEE6576AA9B1D7020366F95234DFBF8766FADB1972A76F4", "EA291979EDD5CB544FAE11C3A7590423A575F4DF6481A402F8DD15EA9D3A7C93", "EAABE6F81833E502D3B98BC1D1570F277CA2F4F2BFB1C5E240CA9BC66C85DE9F", "EB7E5FF079F0DCF484355C9F57FB847D7DF324153C1ED7D9153C9C78FB8F4298", "EC8B2A4CDBFA6EBDE382A53216DCC70855E8F3C2F95899FBF2F80922B646C764", "ED0C84C9C2A14A403946F4803D5C77695460A27DABCEF6B0B26DDD2D13563B0A", "ED8B1EDEFCAC8D0800BA7542D446B3A46C7A4FC6B014D60F4C79520F13A805D3", "EF15DBE9DF088EEA41E61AFA61E2908FA17CEBFD7F299E7B8954046C59CDBA62", "F1FCAD9702724B4983D6B5417FBF364CD19F0F19F7D722D5D70F3F75EFCA5438", "F9219D6BD80C4F8133E43F32441F7F5189D02EF478E092FFA4342AEC1FE5BA45", "FB22228C0335EC32E22ECE7501256187C9DBD5B51755785F2596C8392A43AA22", "FBBDA7CB379F4EF8DCEBAF120EA12F80CCC30DE0F47FC9D7596617C5FA098440", "FEE75B41D176D343E68FBF3A86316A1A946E745F12AE67CB789F7746D1826A8E"]}, {"type": "kaspersky", "idList": ["KLA11005", "KLA11006"]}, {"type": "mageia", "idList": ["MGASA-2017-0120", "MGASA-2018-0469", "MGASA-2020-0108"]}, {"type": "nessus", "idList": ["700090.PRM", "700511.PRM", "700542.PRM", "700617.PRM", "700655.PRM", "AIX_JAVA_APR2017_ADVISORY.NASL", "AL2_ALAS-2019-1193.NASL", "ALA_ALAS-2017-827.NASL", "ALA_ALAS-2017-835.NASL", "ALA_ALAS-2018-1114.NASL", "ALA_ALAS-2018-1115.NASL", "ALA_ALAS-2018-1116.NASL", "APPLE_IOS_110_CHECK.NBIN", "CENTOS_RHSA-2017-1108.NASL", "CENTOS_RHSA-2017-1109.NASL", "CENTOS_RHSA-2017-1204.NASL", "DEBIAN_DLA-1725.NASL", "DEBIAN_DLA-2085.NASL", "DEBIAN_DLA-954.NASL", "DEBIAN_DSA-3858.NASL", "EULEROS_SA-2017-1073.NASL", "EULEROS_SA-2017-1074.NASL", "EULEROS_SA-2017-1098.NASL", "EULEROS_SA-2017-1099.NASL", "EULEROS_SA-2019-1276.NASL", "EULEROS_SA-2019-2704.NASL", "EULEROS_SA-2020-1556.NASL", "EULEROS_SA-2020-1741.NASL", "EULEROS_SA-2022-2473.NASL", "EULEROS_SA-2022-2659.NASL", "EULEROS_SA-2022-2691.NASL", "EULEROS_SA-2022-2723.NASL", "EULEROS_SA-2022-2736.NASL", "EULEROS_SA-2022-2758.NASL", "EULEROS_SA-2022-2771.NASL", "EULEROS_SA-2022-2816.NASL", "EULEROS_SA-2022-2841.NASL", "EULEROS_SA-2022-2911.NASL", "EULEROS_SA-2022-2937.NASL", "EULEROS_SA-2023-1187.NASL", "EULEROS_SA-2023-1197.NASL", "EULEROS_SA-2023-1217.NASL", "EULEROS_SA-2023-1227.NASL", "FEDORA_2018-192148F4FF.NASL", "FEDORA_2018-242F6C1A41.NASL", "FEDORA_2018-55B875C1AC.NASL", "FREEBSD_PKG_085399ABDFD711EA96E480EE73BC7B66.NASL", "FREEBSD_PKG_EC5072B0D43A11E8A6D2B499BAEBFEAF.NASL", "GENTOO_GLSA-201701-56.NASL", "GENTOO_GLSA-201705-03.NASL", "GENTOO_GLSA-201707-01.NASL", "GENTOO_GLSA-202007-54.NASL", "IBM_JAVA_2017_04_18.NASL", "IBM_JAVA_2017_05_01.NASL", "IBM_JAVA_2017_10_17.NASL", "IBM_TEM_9_2_11_19.NASL", "MACOS_10_13.NASL", "MARIADB_10_0_37.NASL", "MARIADB_10_1_37.NASL", "MARIADB_10_2_19.NASL", "MARIADB_10_3_11.NASL", "MARIADB_5_5_62.NASL", "MYSQL_5_5_62.NASL", "MYSQL_5_6_42.NASL", "MYSQL_5_7_24.NASL", "MYSQL_8_0_13.NASL", "NEWSTART_CGSL_NS-SA-2019-0105_JAVA-1.7.0-OPENJDK.NASL", "NEWSTART_CGSL_NS-SA-2019-0111_JAVA-1.8.0-OPENJDK.NASL", "OPENSUSE-2016-1499.NASL", "OPENSUSE-2017-1269.NASL", "OPENSUSE-2017-46.NASL", "OPENSUSE-2017-47.NASL", "OPENSUSE-2017-629.NASL", "OPENSUSE-2017-662.NASL", "OPENSUSE-2018-1284.NASL", "OPENSUSE-2018-14.NASL", "OPENSUSE-2019-327.NASL", "ORACLELINUX_ELSA-2017-1108.NASL", "ORACLELINUX_ELSA-2017-1109.NASL", "ORACLELINUX_ELSA-2017-1204.NASL", "ORACLE_JAVA_CPU_APR_2017.NASL", "ORACLE_JAVA_CPU_APR_2017_UNIX.NASL", "ORACLE_JAVA_CPU_OCT_2017.NASL", "ORACLE_JAVA_CPU_OCT_2017_UNIX.NASL", "ORACLE_JROCKIT_CPU_APR_2017.NASL", "ORACLE_RDBMS_CPU_JUL_2020.NASL", "PHOTONOS_PHSA-2017-0021.NASL", "PHOTONOS_PHSA-2017-0021_ZLIB.NASL", "REDHAT-RHSA-2017-1108.NASL", "REDHAT-RHSA-2017-1109.NASL", "REDHAT-RHSA-2017-1117.NASL", "REDHAT-RHSA-2017-1118.NASL", "REDHAT-RHSA-2017-1119.NASL", "REDHAT-RHSA-2017-1204.NASL", "REDHAT-RHSA-2017-1220.NASL", "REDHAT-RHSA-2017-1221.NASL", "REDHAT-RHSA-2017-1222.NASL", "REDHAT-RHSA-2017-2999.NASL", "REDHAT-RHSA-2017-3046.NASL", "REDHAT-RHSA-2017-3047.NASL", "REDHAT-RHSA-2017-3453.NASL", "SLACKWARE_SSA_2018-309-01.NASL", "SL_20170421_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20170421_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL", "SL_20170509_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SUSE_SU-2016-3209-1.NASL", "SUSE_SU-2017-0003-1.NASL", "SUSE_SU-2017-0004-1.NASL", "SUSE_SU-2017-1384-1.NASL", "SUSE_SU-2017-1385-1.NASL", "SUSE_SU-2017-1386-1.NASL", "SUSE_SU-2017-1387-1.NASL", "SUSE_SU-2017-1389-1.NASL", "SUSE_SU-2017-1400-1.NASL", "SUSE_SU-2017-1444-1.NASL", "SUSE_SU-2017-1445-1.NASL", "SUSE_SU-2017-2989-1.NASL", "SUSE_SU-2017-3235-1.NASL", "SUSE_SU-2017-3369-1.NASL", "SUSE_SU-2017-3411-1.NASL", "SUSE_SU-2017-3440-1.NASL", "SUSE_SU-2017-3455-1.NASL", "SUSE_SU-2018-0005-1.NASL", "SUSE_SU-2018-0061-1.NASL", "SUSE_SU-2018-3542-1.NASL", "SUSE_SU-2018-3972-1.NASL", "SUSE_SU-2018-4211-1.NASL", "SUSE_SU-2019-0119-1.NASL", "SUSE_SU-2019-0555-1.NASL", "SUSE_SU-2019-2048-1.NASL", "UBUNTU_USN-3275-1.NASL", "UBUNTU_USN-3275-2.NASL", "UBUNTU_USN-3275-3.NASL", "UBUNTU_USN-4246-1.NASL", "UBUNTU_USN-4292-1.NASL", "VIRTUOZZO_VZLSA-2017-1108.NASL", "VIRTUOZZO_VZLSA-2017-1109.NASL", "VIRTUOZZO_VZLSA-2017-1204.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106979", "OPENVAS:1361412562310108380", "OPENVAS:1361412562310108382", "OPENVAS:1361412562310108383", "OPENVAS:1361412562310703858", "OPENVAS:1361412562310810745", "OPENVAS:1361412562310810746", "OPENVAS:1361412562310811790", "OPENVAS:1361412562310812038", "OPENVAS:1361412562310813437", "OPENVAS:1361412562310814258", "OPENVAS:1361412562310814259", "OPENVAS:1361412562310843158", "OPENVAS:1361412562310843173", "OPENVAS:1361412562310843177", "OPENVAS:1361412562310844303", "OPENVAS:1361412562310844353", "OPENVAS:1361412562310851560", "OPENVAS:1361412562310851565", "OPENVAS:1361412562310851646", "OPENVAS:1361412562310851679", "OPENVAS:1361412562310851985", "OPENVAS:1361412562310852345", "OPENVAS:1361412562310871807", "OPENVAS:1361412562310871808", "OPENVAS:1361412562310871811", "OPENVAS:1361412562310875283", "OPENVAS:1361412562310875288", "OPENVAS:1361412562310876169", "OPENVAS:1361412562310876685", "OPENVAS:1361412562310882705", "OPENVAS:1361412562310882706", "OPENVAS:1361412562310882709", "OPENVAS:1361412562310882710", "OPENVAS:1361412562310890954", "OPENVAS:1361412562310891725", "OPENVAS:1361412562310892085", "OPENVAS:1361412562311220171073", "OPENVAS:1361412562311220171074", "OPENVAS:1361412562311220171098", "OPENVAS:1361412562311220171099", "OPENVAS:1361412562311220191276", "OPENVAS:1361412562311220192704", "OPENVAS:1361412562311220201556", "OPENVAS:1361412562311220201741", "OPENVAS:703858"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-1108", "ELSA-2017-1109", "ELSA-2017-1204"]}, {"type": "osv", "idList": ["OSV:DLA-1725-1", "OSV:DLA-2085-1", "OSV:DLA-954-1", "OSV:DSA-3858-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142260"]}, {"type": "photon", "idList": ["PHSA-2017-0021", "PHSA-2017-0051"]}, {"type": "redhat", "idList": ["RHSA-2017:1108", "RHSA-2017:1109", "RHSA-2017:1117", "RHSA-2017:1118", "RHSA-2017:1119", "RHSA-2017:1204", "RHSA-2017:1220", "RHSA-2017:1221", "RHSA-2017:1222", "RHSA-2017:2999", "RHSA-2017:3046", "RHSA-2017:3047", "RHSA-2017:3453"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-3511", "RH:CVE-2017-3512", "RH:CVE-2017-3514", "RH:CVE-2017-3544"]}, {"type": "seebug", "idList": ["SSV:93149"]}, {"type": "slackware", "idList": ["SSA-2018-309-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1429-1", "OPENSUSE-SU-2017:1507-1", "OPENSUSE-SU-2017:2998-1", "OPENSUSE-SU-2018:0042-1", "OPENSUSE-SU-2018:3478-1", "OPENSUSE-SU-2019:0327-1", "SUSE-SU-2017:1384-1", "SUSE-SU-2017:1386-1", "SUSE-SU-2017:1387-1", "SUSE-SU-2017:1400-1", "SUSE-SU-2017:1444-1", "SUSE-SU-2017:1445-1", "SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1", "SUSE-SU-2017:2701-1", "SUSE-SU-2017:2989-1", "SUSE-SU-2017:3235-1", "SUSE-SU-2017:3369-1", "SUSE-SU-2017:3411-1", "SUSE-SU-2017:3440-1", "SUSE-SU-2017:3455-1", "SUSE-SU-2018:0005-1", "SUSE-SU-2018:0061-1"]}, {"type": "thn", "idList": ["THN:AD7F6FD3974449B33F35DBF67FA683D5", "THN:E1A6F01891FE36DE7ABDBBAEFB511689"]}, {"type": "threatpost", "idList": ["THREATPOST:60D5DA46BF733084F46AB656BE8CC259", "THREATPOST:87FD78CACB2F7452FFFE3FD52BF4C9D8"]}, {"type": "ubuntu", "idList": ["USN-3275-1", "USN-3275-2", "USN-3275-3", "USN-4246-1", "USN-4292-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-9840", "UB:CVE-2016-9841", "UB:CVE-2016-9842", "UB:CVE-2016-9843", "UB:CVE-2017-1289", "UB:CVE-2017-3509", "UB:CVE-2017-3511", "UB:CVE-2017-3512", "UB:CVE-2017-3514", "UB:CVE-2017-3526", "UB:CVE-2017-3533", "UB:CVE-2017-3539", "UB:CVE-2017-3544"]}]}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "aix", "idList": ["JAVA_APR2017_ADVISORY.ASC"]}, {"type": "amazon", "idList": ["ALAS-2018-1114", "ALAS-2018-1115", "ALAS-2018-1116"]}, {"type": "apple", "idList": ["APPLE:064D138B51FD5A1569959D1A78DD6E63"]}, {"type": "archlinux", "idList": ["ASA-201708-8"]}, {"type": "centos", "idList": ["CESA-2017:1108", "CESA-2017:1109", "CESA-2017:1204"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:B80D5A9EB298D5042EE6C3A994BCD562"]}, {"type": "cve", "idList": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2085-1:566B5", "DEBIAN:DLA-954-1:B7896", "DEBIAN:DSA-3858-1:50A8A"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-3509", "DEBIANCVE:CVE-2017-3511", "DEBIANCVE:CVE-2017-3512", "DEBIANCVE:CVE-2017-3514", "DEBIANCVE:CVE-2017-3526", "DEBIANCVE:CVE-2017-3533", "DEBIANCVE:CVE-2017-3539", "DEBIANCVE:CVE-2017-3544"]}, {"type": "f5", "idList": ["F5:K74843522"]}, {"type": "fedora", "idList": ["FEDORA:74903605DFC6", "FEDORA:78BBA6046256", "FEDORA:C4AB56030B10"]}, {"type": "freebsd", "idList": ["EC5072B0-D43A-11E8-A6D2-B499BAEBFEAF"]}, {"type": "gentoo", "idList": ["GLSA-201701-56", "GLSA-201705-03"]}, {"type": "ibm", "idList": ["153C8B988C1EC44C13B0535341913C2F66090DDDFC18D3C49268B9CA9BFFB899", "178BA37EC0E384C071E3C2ABDC8AA2080AA024B08ACEC18B79D283DF4E354DE2", "31028229FDC1BB19DF989803B4A864D39E803812D894CCF9E11C53D6714A6D33", "A4142870A39B0F226F82E5AEE05D20C19851EA1E7A0767EB642339BDFF0A751F", "B7E9CE33A8766104CBF43CF1EF0D10747A799C0A2ADF534A80658077B861D8FA", "E9F8D8D5FB66C431AFEE6576AA9B1D7020366F95234DFBF8766FADB1972A76F4"]}, {"type": "kaspersky", "idList": ["KLA11005", "KLA11006"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/CENTOS_LINUX-CVE-2020-15992/"]}, {"type": "nessus", "idList": ["ALA_ALAS-2018-1114.NASL", "ALA_ALAS-2018-1115.NASL", "ALA_ALAS-2018-1116.NASL", "DEBIAN_DLA-2085.NASL", "DEBIAN_DLA-954.NASL", "DEBIAN_DSA-3858.NASL", "EULEROS_SA-2017-1073.NASL", "EULEROS_SA-2017-1074.NASL", "EULEROS_SA-2017-1098.NASL", "EULEROS_SA-2017-1099.NASL", "EULEROS_SA-2020-1556.NASL", "FEDORA_2018-192148F4FF.NASL", "FREEBSD_PKG_EC5072B0D43A11E8A6D2B499BAEBFEAF.NASL", "GENTOO_GLSA-201701-56.NASL", "GENTOO_GLSA-201705-03.NASL", "OPENSUSE-2016-1499.NASL", "OPENSUSE-2017-46.NASL", "OPENSUSE-2017-47.NASL", "OPENSUSE-2017-629.NASL", "OPENSUSE-2017-662.NASL", "OPENSUSE-2018-1284.NASL", "ORACLE_JROCKIT_CPU_APR_2017.NASL", "REDHAT-RHSA-2017-1117.NASL", "REDHAT-RHSA-2017-1118.NASL", "REDHAT-RHSA-2017-1119.NASL", "REDHAT-RHSA-2017-1220.NASL", "REDHAT-RHSA-2017-1221.NASL", "REDHAT-RHSA-2017-1222.NASL", "SUSE_SU-2016-3209-1.NASL", "SUSE_SU-2017-0003-1.NASL", "SUSE_SU-2017-0004-1.NASL", "SUSE_SU-2017-1384-1.NASL", "SUSE_SU-2017-1385-1.NASL", "SUSE_SU-2017-1386-1.NASL", "SUSE_SU-2017-1387-1.NASL", "SUSE_SU-2017-1400-1.NASL", "SUSE_SU-2017-1445-1.NASL", "SUSE_SU-2018-3542-1.NASL", "SUSE_SU-2018-3972-1.NASL", "SUSE_SU-2018-4211-1.NASL", "UBUNTU_USN-3275-1.NASL", "UBUNTU_USN-3275-2.NASL", "UBUNTU_USN-3275-3.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810745", "OPENVAS:1361412562310810746", "OPENVAS:1361412562310814258", "OPENVAS:1361412562310814259", "OPENVAS:1361412562310843158", "OPENVAS:1361412562310843173", "OPENVAS:1361412562310843177", "OPENVAS:1361412562310851560", "OPENVAS:1361412562310851565", "OPENVAS:1361412562310851985", "OPENVAS:1361412562310875288", "OPENVAS:1361412562310890954", "OPENVAS:1361412562310892085", "OPENVAS:1361412562311220171073", "OPENVAS:1361412562311220171074", "OPENVAS:1361412562311220171099", "OPENVAS:1361412562311220191276", "OPENVAS:1361412562311220192704", "OPENVAS:1361412562311220201556", "OPENVAS:703858"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2017-3236626"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-1108", "ELSA-2017-1109", "ELSA-2017-1204"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142260"]}, {"type": "photon", "idList": ["PHSA-2017-0051"]}, {"type": "redhat", "idList": ["RHSA-2017:3047"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-3511", "RH:CVE-2017-3512", "RH:CVE-2017-3514", "RH:CVE-2017-3544"]}, {"type": "seebug", "idList": ["SSV:93149"]}, {"type": "slackware", "idList": ["SSA-2018-309-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1429-1", "OPENSUSE-SU-2017:1507-1", "OPENSUSE-SU-2018:3478-1", "SUSE-SU-2017:1384-1", "SUSE-SU-2017:1386-1", "SUSE-SU-2017:1387-1", "SUSE-SU-2017:1400-1", "SUSE-SU-2017:1444-1", "SUSE-SU-2017:1445-1"]}, {"type": "symantec", "idList": ["SMNTC-111284"]}, {"type": "thn", "idList": ["THN:E1A6F01891FE36DE7ABDBBAEFB511689"]}, {"type": "threatpost", "idList": ["THREATPOST:60D5DA46BF733084F46AB656BE8CC259"]}, {"type": "ubuntu", "idList": ["USN-3275-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-9840", "UB:CVE-2016-9841", "UB:CVE-2016-9842", "UB:CVE-2016-9843", "UB:CVE-2017-1289", "UB:CVE-2017-3509", "UB:CVE-2017-3511", "UB:CVE-2017-3512", "UB:CVE-2017-3514", "UB:CVE-2017-3526", "UB:CVE-2017-3533", "UB:CVE-2017-3539", "UB:CVE-2017-3544"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "ibm engineering lifecycle optimization - publishing", "version": 1}, {"name": "ibm engineering lifecycle optimization - publishing", "version": 2}, {"name": "ibm engineering lifecycle optimization - publishing", "version": 2}, {"name": "ibm engineering lifecycle optimization - publishing", "version": 2}, {"name": "ibm engineering lifecycle optimization - publishing", "version": 2}, {"name": "ibm engineering lifecycle optimization - publishing", "version": 2}]}, "epss": [{"cve": "CVE-2016-9840", "epss": "0.001330000", "percentile": "0.467140000", "modified": "2023-03-17"}, {"cve": "CVE-2016-9841", "epss": "0.001170000", "percentile": "0.440720000", "modified": "2023-03-17"}, {"cve": "CVE-2016-9842", "epss": "0.001380000", "percentile": "0.476870000", "modified": "2023-03-17"}, {"cve": "CVE-2016-9843", "epss": "0.001170000", "percentile": "0.439990000", "modified": "2023-03-17"}, {"cve": "CVE-2017-1289", "epss": "0.002040000", "percentile": "0.565950000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3509", "epss": "0.003470000", "percentile": "0.671780000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3511", "epss": "0.001050000", "percentile": "0.411220000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3512", "epss": "0.002960000", "percentile": "0.645230000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3514", "epss": "0.003920000", "percentile": "0.691810000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3526", "epss": "0.007010000", "percentile": "0.772550000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3533", "epss": "0.002010000", "percentile": "0.563080000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3539", "epss": "0.001730000", "percentile": "0.526900000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3544", "epss": "0.001730000", "percentile": "0.526900000", "modified": "2023-03-17"}], "vulnersScore": 0.8}, "_state": {"dependencies": 1676958548, "score": 1676958722, "affected_software_major_version": 1677355290, "epss": 1679165106}, "_internal": {"score_hash": "c691c534971bdc77ac5e04bd295bfe23"}, "affectedSoftware": [{"version": "1.3", "operator": "eq", "name": "ibm engineering lifecycle optimization - publishing"}, {"version": "2.0.0", "operator": "eq", "name": "ibm engineering lifecycle optimization - publishing"}, {"version": "2.0.1", "operator": "eq", "name": "ibm engineering lifecycle optimization - publishing"}, {"version": "2.1.0", "operator": "eq", "name": "ibm engineering lifecycle optimization - publishing"}, {"version": "2.1.1", "operator": "eq", "name": "ibm engineering lifecycle optimization - publishing"}, {"version": "2.1.2", "operator": "eq", "name": "ibm engineering lifecycle optimization - publishing"}]}
{"ibm": [{"lastseen": "2023-02-21T05:44:35", "description": "## Summary\n\nMultiple vulnerabilities in the Oracle Java SE and the Java SE Embedded impact the IBM SDK, Java Technology Edition.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_Not Applicable_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=Not>)** \nDESCRIPTION:** Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product. \nCVSS Base Score: 0 \nCVSS Temporal Score: See [_Not Applicable_](<https://psirt.raleigh.ibm.com/teamworks/Not>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (0)\n\n## Affected Products and Versions\n\nIBM Monitoring 8.1.3 \nIBM Application Diagnostics 8.1.3 \nIBM Application Performance Management 8.1.3 \nIBM Application Performance Management Advanced 8.1.3 \nIBM Cloud Application Performance Management\n\n## Remediation/Fixes\n\n_Product_\n\n| _Product_ \n_VRMF_| _Remediation_ \n---|---|--- \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| _8.1.3_ \n \n_ _ \n_ _| The vulnerabilities can be remediated by applying the following 8.1.3.0-IBM-IPM-SERVER-1F0010 server patch to the system where the Performance Management server is installed:[ \nhttp://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003329](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003329>)\n\nThe vulnerabilities can be remediated by applying the Core Framework patch 8.1.3.0-IBM-IPM-CORE-FRAMEWORK-IPM-IF0004 to all systems where Performance Management agents are installed:\n\n \n[http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003459](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003459>)\n\nThe vulnerabilities can be remediated by applying the following 8.1.3.0-IBM-IPM-GATEWAY-1F0006 Hybrid Gateway patch to the system where the Hybrid Gateway is installed:\n\n \n[http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003330](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003330>) \nIBM Cloud Application Performance Management| _N/A_| The vulnerabilities can be remediated by applying the Core Framework patch 8.1.3.2-IBM-IPM-CORE-FRAMEWORK-IPM-IF0001 to all systems where Performance Management agents are installed: \n[http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001685](<http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001685>)\n\n \nThe vulnerabilities can be remediated by applying the following 8.1.3.2.0-IBM-IPM-GATEWAY-IF0001 Hybrid Gateway patch to the system where the Hybrid Gateway is installed: \n\n[_http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001684_](<http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001684>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:43:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-17T15:43:36", "id": "93E146998B94EC264E33E7B36FD946A69450033DA52EBD726834D95E2F65C29E", "href": "https://www.ibm.com/support/pages/node/565971", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:57", "description": "## Summary\n\nJava SE issues disclosed in the Oracle April 2017 Critical Patch Update, plus five additional vulnerabilities\n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2017-3514 CVE-2017-3512 CVE-2017-3511 CVE-2017-3509 CVE-2017-3544 CVE-2017-3533 CVE-2017-3539 CVE-2017-1289 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 \n \nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2017 Critical Patch Update. For more information please refer to [_Oracle's April 2017 CPU Advisory_](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA>) and the X-Force database entries referenced below. \n\nThis bulletin also describes five additional vulnerabilities which affect IBM SDK, Java Technology Edition.\n\n \n \n**CVEID:** [CVE-2017-3514](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124893> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2017-3512](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124891> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3511](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3526](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124904> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2017-3509](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [CVE-2017-3544](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124920> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3533](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124910> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3539](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-1289](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125150> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 41 and earlier releases \nIBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 41 and earlier releases \nIBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 1 and earlier releases \nIBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 1 and earlier releases \nIBM SDK, Java Technology Edition, Version 8 Service Refresh 4 Fix Pack 2 and earlier releases \n \nFor detailed information on which CVEs affect which releases, please refer to the [_IBM SDK, Java Technology Edition Security Vulnerabilities page_](<https://developer.ibm.com/javasdk/support/security-vulnerabilities/>).\n\n## Remediation/Fixes\n\nFixes for applicable vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 45 and subsequent releases \nFixes for applicable vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 45 and subsequent releases \nFixes for applicable vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 5 and subsequent releases \nFixes for applicable vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 5 and subsequent releases \nFixes for applicable vulnerabilities are included in IBM SDK, Java Technology Edition, Version 8 Service Refresh 4 Fix Pack 5 and subsequent releases \n \n**NOTE:** The fixes for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, on Solaris, HP-UX and Mac OS are provided in [later releases](<https://www.ibm.com/support/docview.wss?uid=swg22009849>). \n \nIBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from [_here_](<http://www.ibm.com/developerworks/java/jdk/index.html>) \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin. \n \n**APAR numbers are as follows:**\n\n[_IV95261_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95261>) (CVE-2017-3514)_ \n_[_IV95262_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95262>) (CVE-2017-3512)_ \n_[_IV95263_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95263>) (CVE-2017-3511)_ \n_[_IV95264_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95264>) (CVE-2017-3509)_ \n_[_IV95265_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95265>) (CVE-2017-3544)_ \n_[_IV95266_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95266>) (CVE-2017-3533)_ \n_[_IV95267_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95267>) (CVE-2017-3539)_ \n_[_IV95456_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95456>) (CVE-2017-1289)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9840)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9841)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9842)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9843)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-15T07:07:24", "id": "ED0C84C9C2A14A403946F4803D5C77695460A27DABCEF6B0B26DDD2D13563B0A", "href": "https://www.ibm.com/support/pages/node/558937", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:41:08", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6.0.16.35 and Version 7.0.10.1 used by SmartCloud Entry. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_Not Applicable_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=Not>)** \nDESCRIPTION:** Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product. \nCVSS Base Score: 0 \nCVSS Temporal Score: See [_Not Applicable_](<https://psirt.raleigh.ibm.com/teamworks/Not>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (0)\n\n## Affected Products and Versions\n\nIBM SmartCloud Entry 2.3.0 through 2.3.0.4 Appliance JRE Update 7, \nIBM SmartCloud Entry 2.4.0 through 2.4.0.5 Appliance JRE Update7, \nIBM SmartCloud Entry 3.1.0 through 3.1.0.4 Appliance fix pack 25, \nIBM SmartCloud Entry 3.2.0 through 3.2.0.4 Appliance fix pack 25\n\n## Remediation/Fixes\n\n \n\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/First Fix \n \n---|---|---|--- \nIBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0.4 JRE Update 8 for Windows:[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \n[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \nIBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0.4 JRE Update 8 for Linux: \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008_Linux&source=SAR&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008_Linux&source=SAR&function=fixId&parent=ibm/Other%20software>) \nIBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0.4 JRE Update 8 for AIX: \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-AIX&source=dbluesearch&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-AIX&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \nIBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0.5 JRE Update 8 for Windows: \n[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \nIBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0.5 JRE Update 8 for Linux: \n[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-IF008-Linux&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-IF008-Linux&source=dbluesearch&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-IF008-Linux&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \nIBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0.5 JRE Update 8 for AIX: \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-JRE-Update-IF008-AIX&source=dbluesearch&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-JRE-Update-IF008-AIX&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \nIBM SmartCloud Entry| 3.1| None| IBM SmartCloud Entry 3.1.0 Appliance fix pack 25: \n \n[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP21&source=SAR&function=fixId&parent=ibm/Other%20software>)[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP25&source=SAR&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP25&source=SAR&function=fixId&parent=ibm/Other%20software>) \nIBM SmartCloud Entry| 3.2| None| IBM SmartCloud Entry 3.2.0 Appliance fix pack 25: \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=sce_3.2.0.4_appl-fp25&source=dbluesearch&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=sce_3.2.0.4_appl-fp25&source=dbluesearch&function=fixId&parent=ibm/Other%20software>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-19T00:49:12", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2020-07-19T00:49:12", "id": "EB7E5FF079F0DCF484355C9F57FB847D7DF324153C1ED7D9153C9C78FB8F4298", "href": "https://www.ibm.com/support/pages/node/631355", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:48:47", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7.0.10.1 used by IBM Cloud Manager. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n \nIBM Cloud Manager with OpenStack 4.3.0 through 4.3.0.7, \nIBM Cloud Manager with OpenStack 4.1.0 through 4.1.0 5,\n\n## Remediation/Fixes\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/First Fix \n \n---|---|---|--- \nIBM Cloud Manager with OpenStack| 4.1| None| IBM Cloud Manager with Openstack 4.3 interim fix 7 for fix pack 5: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&fixids=4.1.0.5-IBM-CMWO-IF007&source=SAR&function=fixId&parent=ibm/Other%20software](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&fixids=4.1.0.5-IBM-CMWO-IF007&source=SAR&function=fixId&parent=ibm/Other%20software>) \nIBM Cloud Manager with OpenStack| 4.3| None| IBM Cloud Manager with Openstack 4.3 fix pack 8: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Cloud+Manager+with+Openstack&function=fixid&fixids=4.3.0.8-IBM-CMWO-FP08](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Cloud+Manager+with+Openstack&function=fixid&fixids=4.3.0.8-IBM-CMWO-FP08>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-08T04:13:55", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-08-08T04:13:55", "id": "CC37D743879D353458C1878FA8E2AB682D874D3B8E3BA1673A273FA4E6C58F25", "href": "https://www.ibm.com/support/pages/node/630973", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:40:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8 used by z/TPF. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n \n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION: **An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nz/TPF Enterprise Edition Version 1.1.14\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nz/TPF| 1.1.14| APAR PJ44655| \n\n 1. Apply APAR PJ44655, which you can download from the [z/TPF maintenance](<http://www.ibm.com/support/docview.wss?uid=swg27049604>) web page.\n 2. Download and install the `PJ44655_ibm-java-jre-8.0-4.5.tar.gz` package from the [IBM 64-bit Runtime Environment for z/TPF, Java Technology Edition, Version 8](<http://www-01.ibm.com/support/docview.wss?uid=swg24043118>) download page. \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-30T07:48:35", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-08-30T07:48:35", "id": "7DA5BADAAAA106517C7E1A9DDFA3F2D244D760EB8E77D5BF4DA6A21044F50912", "href": "https://www.ibm.com/support/pages/node/560545", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:42:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is used by IBM i. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_Not Applicable_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=Not>) \n**DESCRIPTION:** Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product. \nCVSS Base Score: 0 \nCVSS Temporal Score: See [_Not Applicable_](<https://psirt.raleigh.ibm.com/teamworks/Not>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (0)\n\n## Affected Products and Versions\n\nReleases 6.1, 7.1, 7.2 and 7.3 of IBM i are affected. \n\n## Remediation/Fixes\n\nThe issue can be fixed by applying a PTF to the IBM i Operating System. \n \nReleases 6.1, 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed. \n \nPlease see the Java document at this URL for the latest Java information for IBM i: \n[_http://www.ibm.com/developerworks/ibmi/techupdates/java_](<http://www.ibm.com/developerworks/ibmi/techupdates/java>) \n \nThe IBM i Group PTF numbers containing the fix for these CVEs follow. Future Group PTFs for Java will also contain the fixes for these CVEs. \n \n** Release 6.1 \u2013 SF99562 level 39** \n** Release 7.1 \u2013 SF99572 level 28** \n** Release 7.2 \u2013 SF99716 level 13** \n**Release 7.3 \u2013 SF99725 level 5** \n \n**_Important note: _**_IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-12-18T14:26:38", "id": "E0253E0BCD2010E2BAB349C52FFCF23EDBB59CE53A5DADB8EB1D97663DFA2A6D", "href": "https://www.ibm.com/support/pages/node/687437", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:35:12", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6, 7, and 8** that are used by Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, TRIRIGA for Energy Optimization (previously known as Intelligent Building Management), IBM Control Desk, and SmartCloud Control Desk. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe following IBM Java versions are affected: \n\n\n * Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 41 and earlier releases\n * Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 41 and earlier releases\n * Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 1 and earlier releases\n * Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 1 and earlier releases\n * Java Technology Edition, Version 8 Service Refresh 4 Fix Pack 2 and earlier releases\n \nIt is likely that earlier unsupported versions are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers running unsupported versions upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities. \n\n## Remediation/Fixes\n\nThere are two areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation: \n \n1\\. Application Server \u2013 Update the Websphere Application Server. Refer to [Security Bulletin: WebSphere Application Server update of IBM\u00ae SDK Java\u2122 Technology Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server. \n \n2\\. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on [_developerWorks JavaTM Technology Security Alerts_](<http://www.ibm.com/developerworks/java/jdk/alerts/>) or referenced on [_Oracle\u2019s latest Critical Patch Update_](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) (which can be accessed via [_developerWorks JavaTM Technology Security Alerts_](<http://www.ibm.com/developerworks/java/jdk/alerts/>)). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest [_Maximo Asset Management Scheduler Interim Fix_](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Maximo+Asset+Management+Scheduler&release=All&platform=All&function=all&source=fc>) for Version 7.1 or [_Maximo Asset Management Fix Pack_](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Maximo+Asset+Management&release=All&platform=All&function=all&source=fc>). \n \nDue to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible.\n\n## Workarounds and Mitigations\n\nUntil you apply the fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Asset and Service Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2022-09-22T03:02:31", "id": "7EB6563742B3C75E58E076FD31B14932767B06B0A1B48E8542A935E9610AB46A", "href": "https://www.ibm.com/support/pages/node/561891", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:23", "description": "## Summary\n\nIBM Initiate Master Data Service is vulnerable to multiple Oracle Java SE and Java SE Embedded issues and could allow remote attackers to affect the confidentiality, integrity, and availability. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_Not Applicable_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=Not>)** \nDESCRIPTION:** Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product. \nCVSS Base Score: 0 \nCVSS Temporal Score: See [_Not Applicable_](<https://psirt.raleigh.ibm.com/teamworks/Not>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (0)\n\n## Affected Products and Versions\n\nThese vulnerabilities are known to affect the following offerings: \n \nIBM Initiate Master Data Service version 10.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available. \n \n\n\n**_Product_**** **| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Initiate Master Data Service| \n\n10.1\n\n| None| [_10.1.072717_IM_Initiate_MasterDataService_ALL_Interm Fix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.1.072717_IM_Initiate_MasterDataService_ALL_Interm%20Fix&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:49:54", "type": "ibm", "title": "Security Bulletin: Multiple security vunerabilities in Oracle Java SE and Java SE Embedded affects IBM InfoSphere Master Data Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-16T13:49:54", "id": "34B38C48225A860B307A10E14B258759FF06CC8E770D3AE98A81F88EFBB9E082", "href": "https://www.ibm.com/support/pages/node/565663", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T17:45:46", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition and IBM\u00ae Runtime Environment Java\u2122 Version used by IBM WebSphere Application Server. \n \nIBM Cloud Orchestrator and Cloud Orchestrator Enterprise has addressed the applicable CVEs. These issues were also addressed by IBM WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION: **An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n---|--- \n \nIBM Cloud Orchestrator V2.5.0.3 and V2.5.0.4 | \n\n * WebSphere Application Server V8.5.5.11 \n \nIBM Cloud Orchestrator V2.4.0.3 and V2.4.0.4 | \n\n * WebSphere Application Server V8.5.5.12 \n \nIBM Cloud Orchestrator Enterprise V2.5.0.3 and V2.5.0.4 | \n\n * WebSphere Application Server V8.5.5 through V8.5.5.11 \n \nIBM Cloud Orchestrator Enterprise V2.4.0.3 and V2.4.0.4 | \n\n * WebSphere Application Server V8.5.0.1 through V8.5.5.12 \n \n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Cloud Orchestrator and Cloud Orchestrator Enterprise| V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3, V2.5.0.4| For 2.5 versions, upgrade to Fix Pack 4 (2.5.0.4) of IBM Cloud Orchestrator. \n<http://www-01.ibm.com/support/docview.wss?uid=swg2C4000062> \nAfter you upgrade, apply the appropriate Interim to your environment as soon as practical. For details, see [Security Bulletin:Multiple Vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>). \nIBM Cloud Orchestrator and Cloud Orchestrator Enterprise| _V2.4., V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4_| For 2.4 versions, upgrade to Fix Pack 4 (2.4.0.5) of IBM Cloud Orchestrator. \n[_http://www-01.ibm.com/support/docview.wss?uid=swg2C4000063_](<http://www-01.ibm.com/support/docview.wss?uid=swg2C4000063>) \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, IBM Business Process Manager, and Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator. \n \n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator and Cloud Orchestrator EnterpriseV2.5, V2.5.0.1, V2.5.0.2| WebSphere Application Server V8.5.5 through V8.5.5.11 | [Security Bulletin:Multiple Vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>). \nApply the approriate fix from WebSphere Application Server bulletin. \nIBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4 | WebSphere Application Server V8.5.0.1 through V8.5.5.12| [Security Bulletin:Multiple Vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>). \nApply the approriate fix from WebSphere Application Server bulletin. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-17T22:33:36", "id": "3DC9DA6ECD1A878D03A32EEA6BC9999E22C5AF0DABED615D82F1395583F0A633", "href": "https://www.ibm.com/support/pages/node/609319", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:44:15", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 6, 7 used by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information.\n\n**CVEID:** [CVE-2017-3514](<https://vulners.com/cve/CVE-2017-3514>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124893> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3512](<https://vulners.com/cve/CVE-2017-3512>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124891> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3511](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3526](<https://vulners.com/cve/CVE-2017-3526>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124904> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2017-3509](<https://vulners.com/cve/CVE-2017-3509>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [CVE-2017-3544](<https://vulners.com/cve/CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124920> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3533](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124910> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3539](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION: **An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-1289](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125150> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n_<Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \n_Platform Cluster Manager Standard Edition_ | _4.1.0, 4.1.1, 4.1.1.1, 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_ | _None_ | _See below_ \n_Platform Cluster Manager Advanced Edition_ | _4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_ | _None_ | _See below_ \n_Platform HPC _ | _4.1.1, 4.1.1.1, 4.2.0, 4.2.1_ | _None_ | _See below_ \n_Spectrum Cluster Foundation_ | _4.2.2_ | _None_ | _See below_ \n \n## Remediation/Fixes\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n**Platform Cluster Manager 4.1.x & Platform HPC 4.1.x**\n\n1\\. Download IBM JRE 6.0 x86_64 from the following location: [_http://www.ibm.com/support/fixcentral_](<http://www.ibm.com/support/fixcentral>). (For POWER platform, download ppc64 version JRE tar package. The followings steps are using x86_64 as an example.)\n\n2\\. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.\n\n3\\. If high availability is enabled, shutdown standby management node to avoid triggering high availability.\n\n4\\. On the management node, stop GUI and PERF services\n\nHA disabled:# pmcadmin stop# perfadmin stop allHA enabled:# egosh user logon -u Admin -x Admin# egosh service stop all\n\n5\\. On management node, extract new JRE files and replace some old folders with new ones.\n\n# tar -zxvf ibm-java-jre-6.0-16.45-linux-x86_64.tgz# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-60/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/\n\n6\\. On management node, start GUI and PERF services\n\nHA disabled:# pmcadmin start# perfadmin start allHA enabled:# egosh user logon -u Admin -x Admin# egosh service start all\n\n**Platform Cluster Manager 4.2.x & Platform HPC 4.2.x & Spectrum Cluster Foundation 4.2.2**\n\n1\\. Download IBM JRE 7.0 x86_64 from the following location: [_http://www.ibm.com/support/fixcentral_](<http://www.ibm.com/support/fixcentral>). (For POWER platform, download ppc64 version JRE tar package. The followings steps are using x86_64 as an example.)\n\n2\\. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.\n\n3\\. If high availability is enabled, shutdown standby management node to avoid triggering high availability.\n\n4\\. On the management node, stop GUI and PERF services\n\n# pcmadmin service stop --group ALL\n\n5\\. On management node, extract new JRE files and replace some old folders with new ones.\n\n# tar -zxvf ibm-java-jre-7.0-10.5-linux-x86_64.tgz# mv /opt/pcm/jre/bin /opt/pcm/jre/bin-old# mv /opt/pcm/jre/lib /opt/pcm/jre/lib-old# mv /opt/pcm/jre/plugin /opt/pcm/jre/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/jre/# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/\n\n6\\. On management node, start GUI and PERF services\n\n# pcmadmin service start --group ALL\n\n7\\. If high availability is enabled, start up standby management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on standby management node.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-23T05:10:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-05-23T05:10:01", "id": "F3281BDF12838A6B3ED12BD80CD3612FF58D26B7086E8FAFB840576788B1DD6C", "href": "https://www.ibm.com/support/pages/node/631175", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:47:12", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Technology Edition, Version 6 and Version 7 that is used by IBM Content Classification. IBM Content Classification has addressed the applicable CVEs. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_Not Applicable_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=Not>)** \nDESCRIPTION:** Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product. \nCVSS Base Score: 0 \nCVSS Temporal Score: See [_Not Applicable_](<https://psirt.raleigh.ibm.com/teamworks/Not>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (0)\n\n## Affected Products and Versions\n\nIBM Content Classification v8.8\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Classification| 8.8| Use IBM Content Classification [Fix Pack 0007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/Content+Classification&release=8.8&platform=Windows&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:18:31", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-17T12:18:31", "id": "EAABE6F81833E502D3B98BC1D1570F277CA2F4F2BFB1C5E240CA9BC66C85DE9F", "href": "https://www.ibm.com/support/pages/node/563771", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:50:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8 used by IBM QRadar Network Security. IBM QRadar Network Security has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**Relevant CVE Information:**\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM QRadar Network Security 5.4\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM QRadar Network Security| Firmware version 5.4| Install Firmware 5.4.0.2 from the Available Updates page of the Local Management Interface, or by performing a One Time Scheduled Installation from SiteProtector. \nOr \nDownload Firmware 5.4.0.2 from [IBM Security License Key and Download Center](<https://ibmss.flexnetoperations.com/control/isdl/home>) and upload and install via the Available Updates page of the Local Management Interface. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:00:11", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM QRadar Network Security", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-16T22:00:11", "id": "E9F8D8D5FB66C431AFEE6576AA9B1D7020366F95234DFBF8766FADB1972A76F4", "href": "https://www.ibm.com/support/pages/node/560649", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:50:36", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 7 used by IBM Security Network Protection. IBM Security Network Protection has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**Relevant CVE Information:**\n\n**CVEID:** [_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Security Network Protection 5.3.1 \nIBM Security Network Protection 5.3.3\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Security Network Protection| Firmware version 5.3.1| Download Firmware 5.3.1.14 from [IBM Security License Key and Download Center](<https://ibmss.flexnetoperations.com/control/isdl/home>) and upload and install via the Available Updates page of the Local Management Interface. \nIBM Security Network Protection| Firmware version 5.3.3| Download Firmware 5.3.3.4 from [IBM Security License Key and Download Center](<https://ibmss.flexnetoperations.com/control/isdl/home>) and upload and install via the Available Updates page of the Local Management Interface. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:00:11", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-16T22:00:11", "id": "178BA37EC0E384C071E3C2ABDC8AA2080AA024B08ACEC18B79D283DF4E354DE2", "href": "https://www.ibm.com/support/pages/node/560645", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:53", "description": "## Summary\n\nJava SE issues disclosed in the Oracle April 2017 Critical Patch Update\n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2017-3514 CVE-2017-3512 CVE-2017-3511 CVE-2017-3509 CVE-2017-3544 CVE-2017-3533 CVE-2017-3539 CVE-2017-1289 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 \n \nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2017 Critical Patch Update. For more information please refer to [_Oracle's April 2017 CPU Advisory_](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA>) and the X-Force database entries referenced below. \n\nThis bulletin also describes five additional vulnerabilities which affect IBM WebSphere Real Time.\n\n \n \n**CVEID:** [CVE-2017-3514](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124893> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2017-3512](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124891> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3511](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3526](<https://vulners.com/cve/CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124904> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2017-3509](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [CVE-2017-3544](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124920> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3533](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124910> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3539](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-1289](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125150> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM WebSphere Real Time Version 3 Service Refresh 10 Fix Pack 1 and earlier releases\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM WebSphere Real Time Version 3 Service Refresh 10 Fix Pack 5 and subsequent releases \n \nIBM customers should download WebSphere Real Time updates from [Fix Central](<http://www.ibm.com/support/fixcentral/>). \n \nIBM WebSphere Real Time releases can also be downloaded from [_developerWorks_](<http://www.ibm.com/developerworks/java/jdk/index.html>). \n \n**APAR numbers are as follows:**\n\n[_IV95261_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95261>) (CVE-2017-3514)_ \n_[_IV95262_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95262>) (CVE-2017-3512)_ \n_[_IV95263_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95263>) (CVE-2017-3511)_ \n_[_IV95264_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95264>) (CVE-2017-3509)_ \n_[_IV95265_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95265>) (CVE-2017-3544)_ \n_[_IV95266_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95266>) (CVE-2017-3533)_ \n_[_IV95267_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95267>) (CVE-2017-3539)_ \n_[_IV95456_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95456>) (CVE-2017-1289)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9840)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9841)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9842)_ \n_[_IV95268_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268>) (CVE-2016-9843)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:32", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities may affect IBM\u00ae WebSphere Real Time", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-15T07:07:32", "id": "CD802469E7091F3B4C36A2C1558796086B9FF4A18435BCFD596F5D926EE2CF18", "href": "https://www.ibm.com/support/pages/node/560321", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:34", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by IBM Tivoli Monitoring. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3514](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124893> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2017-3512](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124891> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3511](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3509](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [CVE-2017-3544](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124920> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3533](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124910> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3539](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-1289](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125150> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring version 6.2.3 Fix Pack 01 through 6.3.0 Fix Pack 07\n\n## Remediation/Fixes\n\nThese vulnerabilities exist where the affected Java Runtime Environment (JRE) is installed on systems running the Tivoli Enterprise Portal Browser client or Java WebStart client. The affected JRE is installed on a system when logging into the IBM Tivoli Enterprise Portal using the Browser client or WebStart client and a JRE at the required level does not exist. The portal provides an option to download the provided JRE to the system. \n \nThis fix below provides updated JRE packages for the portal server which can be downloaded by new client systems. Once the fix has been installed on the portal server, instructions in the README can be used to download the updated JRE from the portal to the portal clients. \n \n\n\n**_Fix_**| **_VRMF_**| **_How to acquire fix_** \n---|---|--- \n6.X.X-TIV-ITM_JRE_TEP-20170817| 6.2.3 FP1 through 630 FP7| <http://www.ibm.com/support/docview.wss?uid=swg24043981> \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:43:58", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-17T15:43:58", "id": "7D7C2F7950E4FCA765164EC739C1CE4D46C2BCAFE840312CE4E8D2D5364FD1D4", "href": "https://www.ibm.com/support/pages/node/566347", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:43", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Java Runtime, Version 6.0, 7.0 and 8.0 that is used by IBM Tivoli Composite Application Manager for Transactions. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2017-3514](<https://vulners.com/cve/CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124893> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n \n \n**CVEID:** [CVE-2017-3512](<https://vulners.com/cve/CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124891> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H \n \n \n**CVEID:** [CVE-2017-3511](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n \n**CVEID:** [CVE-2017-3509](<https://vulners.com/cve/CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n \n**CVEID:** [CVE-2017-3539](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n**CVEID:** [CVE-2017-1289](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125150> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) \n \n \n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n \n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n \n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n \n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager (ITCAM) for Transactions : Versions 7.3.x.x to 7.4.x.x are affected\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Composite Application Manager for Transaction | _7.4_ \n_7.3_| _IV97197_| [http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003369](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003369>) \n \nFor older versions of IBM Tivoli Composite Application manager for Transactions (eg 7.1 & 7.2), IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:40:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3539"], "modified": "2018-06-17T15:40:50", "id": "99807FBC1D75A9213BB9ADAC0519BB4BBC77F3C7576E4567F0A4791564E0A87E", "href": "https://www.ibm.com/support/pages/node/561559", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:54:22", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Versions 6 and 7 used by IBM Cognos Metrics Manager. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION: **An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n * IBM Cognos Metrics Manager 10.2.2\n * IBM Cognos Metrics Manager 10.2.1\n * IBM Cognos Metrics Manager 10.2\n * IBM Cognos Metrics Manager 10.1.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. As the fix is in a shared component across the Business Intelligence portfolio, applying the BI Interim Fix will resolve the issue. Note that the prerequisites named in the links are also satisfied by an IBM Cognos Metrics Manager install of the same version. \n\n \n| Version| Interim Fix \n---|---|--- \nIBM Cognos Metrics Manager| 10.2.2| [IBM Cognos Business Intelligence 10.2.2 Interim Fix 16](<http://www.ibm.com/support/docview.wss?uid=swg24044086>) \nIBM Cognos Metrics Manager| 10.2.1| [IBM Cognos Business Intelligence 10.2.1 Interim Fix 21](<http://www.ibm.com/support/docview.wss?uid=swg24044086>) \nIBM Cognos Metrics Manager| 10.2| [IBM Cognos Business Intelligence 10.2 Interim Fix 24](<http://www.ibm.com/support/docview.wss?uid=swg24044086>) \nIBM Cognos Metrics Manager| 10.1.1| [IBM Cognos Business Intelligence 10.1.1 Interim Fix 23](<http://www.ibm.com/support/docview.wss?uid=swg24044087>) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T23:19:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-15T23:19:43", "id": "E8344E5352690AEE3D80EAFF129B1EA71C24ED49E3F39557AC505B036061D7E5", "href": "https://www.ibm.com/support/pages/node/561675", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:24", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION: **An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe following products, running on all supported platforms, are affected: \nIBM InfoSphere Information Server: versions 9.1, 11.3 and 11.5 \nIBM InfoSphere Information Server on Cloud: version 11.5\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud| 11.5| [_JR57824_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57824>)| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is115_JR57824_ISF_services_engine_*>) \nInfoSphere Information Server| 11.3| [_JR57824_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57824>)| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR57824_ISF_services_engine_*>) \nInfoSphere Information Server| 9.1| [_JR57824_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57824>)| \\--Apply [_JR57824_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR57824_ISF_services_engine*>) on all tiers \n \n**Technical Support:** \nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:48:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-16T13:48:34", "id": "ADC40C69949A3E45DE7D3CD6F77443003EA61DEFE08BECAF5A431BAF9DFF8DD9", "href": "https://www.ibm.com/support/pages/node/562549", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:48:28", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 6, Version 7 and Version 8 used by Rational Directory Server (Tivoli) and Rational Directory Administrator. These issues were disclosed as part of the IBM Java SDK updates in April 2017. Install the recommended iFixes to upgrade the JRE in order to resolve these issues.\n\n## Vulnerability Details\n\nRational Directory Server & Rational Directory Administrator are affected by the following vulnerabilities: \n \n**CVEID**: [CVE-2017-3511](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION**: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID**: [CVE-2017-3509](<https://vulners.com/cve/CVE-2017-3509>) \n**DESCRIPTION**: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n**CVEID**: [CVE-2017-3539](<https://vulners.com/cve/CVE-2017-3539>) \n**DESCRIPTION**: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n**CVEID**: [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION**: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID**: [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION**: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID**: [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION**: zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID**: [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION**: zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nRational Directory Server (Tivoli) v5.2.1 iFix 12 and earlier. \n\nRational Directory Administrator v6.0.0.2 iFix 06 and earlier.\n\n## Remediation/Fixes\n\n1\\. Install one of the following IBM JREs supported versions that contain the fixes for these vulnerabilities: \n\n * [IBM Java Runtime Environment, Version 7 R1 Service Refresh 4 Fix Pack 5](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Directory+Server&fixids=5.2.1-RDS-JRE-71SR4FP5&source=SAR>)\n * [IBM Java Runtime Environment, Version 8 Service Refresh 4 Fix Pack 5](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Directory+Server&fixids=5.2.1-RDS-JRE-8SR4FP5&source=SAR>)\n \n2\\. After installing a fixed IBM JRE version, install Rational Directory Server v5.2.1 iFix12 and Rational Directory Administrator v6.0.0.2 iFix06 from: \n\n * [Rational Directory Server (Tivoli) Interim Fix 12 for 5.2.1](<https://www.ibm.com/support/docview.wss?uid=swg24043554>)\n * [Rational Directory Administrator Interim Fix 06 for 6.0.0.2](<https://www.ibm.com/support/docview.wss?uid=swg24043555>)\nThese steps will update the path of recommended/fixed IBM JRE in RDS/RDA. \n \n_For versions of Rational Directory Server that are earlier than version 5.2.1, and Rational Directory Administrator versions earlier than 6.0.0.2, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:22:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3539"], "modified": "2018-06-17T05:22:13", "id": "2DB2D30E9FA2A40CC9322C25F77FD4A65A394FEF238C4AF4674C0AFEF9003394", "href": "https://www.ibm.com/support/pages/node/562737", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:45", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 Refresh 10 Fix Pack1 used by Predictive Insights 1.3.5 and Version 8 which is used by Predictive Insights 1.3.6. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.\n\n## Vulnerability Details\n\n**CVEID:**[_CVE-2017-3514_](<https://vulners.com/cve/CVE-2017-3514.>)** \n****DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124893> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:**[_CVE-2017-3512_](<https://vulners.com/cve/CVE-2017-3512.>)** \nDESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124891> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:**[_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511.>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:**[_CVE-2017-3509_](<https://vulners.com/cve/CVE-2017-3509.>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n**CVEID:**[_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544.>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124920> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:**[_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533.>)** \nDESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124910> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:**[_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539.>)** \nDESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Operations Analytics Predictive Insights 1.3.6 and earlier\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM Operations Analytics Predictive Insights_| _1.3.0, \n1.3.1,_ \n_1.3.2_| _None_| __Upgrade to 1.3.3 or 1.3.5__ \n__and see workaround A__ \n[](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/WebSphere/Java&release=All&platform=All&function=fixId&fixids=7.0.10.5-JavaSE-SDK-Linuxx86_6464&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n__Upgrade to 1.3.6__ \n__and see workaround B__ \n_IBM Operations Analytics Predictive Insights_| _1.3.3,_ \n_1.3.5_| _None_| __See workaround A__ \n_IBM Operations Predictive Insights_| _1.3.6_| _None_| __See workaround B__ \n \n\n\n## Workarounds and Mitigations\n\n__Installation Instructions \u2013 workaround A__ \n \nAs the user that installed the Predictive Insights UI component, e.g scadmin \n1\\. Download [_java-sdk-7.0.10.5_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/WebSphere/Java&release=All&platform=All&function=fixId&fixids=7.0.10.5-JavaSE-SDK-Linuxx86_6464&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) from Fix Central \n2\\. Stop the UI server used by IBM Operations Analytics Predictive Insights \n/<UI_HOME>/bin/pi.sh -stop \nwhere UI_HOME is typically /opt/IBM/scanalytics/UI \n3\\. cd <UI_HOME> \n4\\. Rename JAVA SDK installation folder \nmv ibm-java-x86_64-70 ibm-java-x86_64-70_orig \n5\\. untar ibm-java-sdk-7.0-10.5-linux-x86_64.tgz into <UI_HOME> folder (this will create a new ibm-java-x86_64-70 folder in <UI_HOME>) \n6\\. start UI server \n<UI_HOME>/bin/pi.sh -start \n \n \n__Remove Update Instructions \u2013 workaround A__ \n \nAs the user that installed the Predictive Insights UI component, e.g scadmin \n1\\. Stop the UI server used by IBM Operations Analytics Predictive Insights \n<UI_HOME>/bin/pi.sh -stop \nwhere UI_HOME is typically /opt/IBM/scanalytics/UI \n3\\. cd <UI_HOME> \n4\\. mv ibm-java-x86_64-70 ibm-java-x86_64-70_iFix \n5\\. Replace the JAVA SDK installation folder with the original \nmv ibm-java-x86_64-70_orig ibm-java-x86_64-70 \n5\\. start UI server \n<UI_HOME>/bin/pi.sh -start \n \n \n__Installation Instructions \u2013 workaround B__ \n \nAs the user that installed the Predictive Insights UI component, e.g scadmin \n1\\. Download [_java-sdk-8.0.4.5_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/WebSphere/Java&release=All&platform=All&function=fixId&fixids=8.0.4.5-JavaSE-SDK-Linuxx86_6464&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) from Fix Central \n2\\. Stop the UI server used by IBM Operations Analytics Predictive Insights \n/<UI_HOME>/bin/pi.sh -stop \nwhere UI_HOME is typically /opt/IBM/scanalytics/UI \n3\\. cd <UI_HOME> \n4\\. Rename JAVA SDK installation folder \nmv ibm-java-x86_64-80 ibm-java-x86_64-80_orig \n5\\. untar ibm-java-sdk-8.0-4.5-linux-x86_64.tgz into <UI_HOME> folder (this will create a new ibm-java-x86_64-80 folder in <UI_HOME>) \n6\\. start UI server \n<UI_HOME>/bin/pi.sh -start \n \n \n__Remove Update Instructions \u2013 workaround B__ \n \nAs the user that installed the Predictive Insights UI component, e.g scadmin \n1\\. Stop the UI server used by IBM Operations Analytics Predictive Insights \n<UI_HOME>/bin/pi.sh -stop \nwhere UI_HOME is typically /opt/IBM/scanalytics/UI \n3\\. cd <UI_HOME> \n4\\. mv ibm-java-x86_64-80 ibm-java-x86_64-80_iFix \n5\\. Replace the JAVA SDK installation folder with the original \nmv ibm-java-x86_64-80_orig ibm-java-x86_64-80 \n5\\. start UI server \n<UI_HOME>/bin/pi.sh -start \n \n\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-17T15:40:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Operations Analytics Predictive Insights", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-17T15:40:26", "id": "3276133560FCE4A64E2C5D5F2CAD2023D886DD4CE502EBDAC4AD25EBEE86FDF7", "href": "https://www.ibm.com/support/pages/node/560599", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:51:49", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 1.6 and 1.7 that is used by FSM. These issues were disclosed as part of the IBM Java SDK updates in April 2017. This bulletin addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n \nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table. \n \n \n\n\nProduct| VRMF| Remediation \n---|---|--- \nFlex System Manager| 1.3.4.0| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [829047509](<http://www-01.ibm.com/support/docview.wss?uid=nas7a9c49e57131ba060862581a2005fb4e8>) for instructions on installing updates for FSM version 1.3.4 and Agents. \nFlex System Manager| 1.3.3.0| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [829047509](<http://www-01.ibm.com/support/docview.wss?uid=nas7a9c49e57131ba060862581a2005fb4e8>) for instructions on installing updates for FSM version 1.3.3 and Agents. \nFlex System Manager| 1.3.2.0 \n1.3.2.1| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [829047509](<http://www-01.ibm.com/support/docview.wss?uid=nas7a9c49e57131ba060862581a2005fb4e8>) for instructions on installing updates for FSM version 1.3.2 and Agents. \n \nFor all other VRMF IBM recommends upgrading to a fixed, supported version/release of the product. \n \nNote: Installation of the fixes provided in the technote will install a cumulative fix package that will update the version of the FSM. Reference the technote for more details. \n \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix may disable older encrypted protocols by default.\n\nIBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.\n\nFor a complete listing of FSM security iFixes go to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T01:38:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3539"], "modified": "2018-06-18T01:38:10", "id": "3F639035BAB0EB875C9E9E808512F3E2A87A86BDD91C548658A2E7907F9A7846", "href": "https://www.ibm.com/support/pages/node/632109", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:49:46", "description": "## Summary\n\nMultiple vulnerabilities in IBM Java SDK affect IBM QRadar SIEM.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n\u00b7 IBM QRadar SIEM 7.2.0 \u2013 7.2.8 Patch 8 \n\n\u00b7 IBM QRadar SIEM 7.3.0 \u2013 7.3.0 Patch 3\n\n## Remediation/Fixes\n\n[\u00b7 _QRadar/QRM/QVM/QRIF/QNI 7.2.8 Patch 9_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=All&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170726184122&includeRequisites=1&includeS>)\n\n[\u00b7 _QRadar/QRM/QVM/QRIF/QNI 7.3.0 Patch 4_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=All&function=fixId&fixids=7.3.0-QRADAR-QRSIEM-20170830160510&includeRequisites=1&includeS>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:02:18", "type": "ibm", "title": "Security Bulletin: IBM Java SDK as used in IBM QRadar SIEM is vulnerable to multiple CVE\u2019s.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3533", "CVE-2017-3544"], "modified": "2018-06-16T22:02:18", "id": "4CB34725F1E54FB000F6F431C0E55F2FC9A5C31FD2A568506AABE35E44D674CD", "href": "https://www.ibm.com/support/pages/node/296119", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:54:22", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by IBM Cognos Command Center. These issues were disclosed as part of the IBM Java SDK updates in April 2017. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3544_](<https://vulners.com/cve/CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Cognos Command Center 10.2 All Editions \n\nIBM Cognos Command Center 10.2.1 All Editions\n\nIBM Cognos Command Center 10.2.2 All Editions\n\nIBM Cognos Command Center 10.2.3 All Editions\n\nIBM Cognos Command Center 10.2.4 All Editions\n\n## Remediation/Fixes\n\nThe recommended fix is to upgrade to the latest Interim Fix : IBM Cognos Command Center 10.2.4 IF3 \n \n[IBM Cognos Command Center 10.2.4 Interim Fix 3](<http://www-01.ibm.com/support/docview.wss?uid=swg24043838>)\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T23:46:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java Runtime affect IBM Cognos Command Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3533", "CVE-2017-3544"], "modified": "2018-06-15T23:46:50", "id": "31CE758E4CAEC8E3CF50284009624A075DC3EF2C6C68F39AC01EBA9D5FEFB150", "href": "https://www.ibm.com/support/pages/node/563847", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:13:32", "description": "## Summary\n\nThe IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by multiple security vulnerabilities that exist in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. The security bulletin includes issues disclosed as part of the IBM Java SDK updates in April 2017. \nThe IBM Emptoris Strategic Supply Management Suite of products include IBM Emptoris Contract Management, IBM Emptoris Sourcing, IBM Emptoris Spend Analysis, IBM Emptoris Program Management, IBM Emptoris Strategic Supply Management and IBM Emptoris Supplier Lifecycle Management.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3511_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-1289_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n \n \n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n \n \n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nIBM Emptoris Contract Management 9.5 through 10.1.x \nIBM Emptoris Program Management 10.0.0 through 10.1.x \nIBM Emptoris Sourcing 10.0.0 through 10.1.x \nIBM Emptoris Spend Analysis 10.0.0 through 10.1.x \nIBM Emptoris Supplier Lifecycle Management 9.5 through 10.1.x \nIBM Emptoris Strategic Supply Management 10.0.0 through 10.1.x \nIBM Emptoris Services Procurement 10.x\n\n## Remediation/Fixes\n\nAn interim fix has been issued for the IBM WebSphere Application Server (WAS) which will upgrade the IBM Java Development Kit to a version which is not susceptible to this vulnerability. Customers running any of the IBM Emptoris products listed above should apply the interim fix to all IBM WebSphere Application Server installations that are used to run IBM Emptoris applications. Please refer to [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>) for details. \n \nSelect the appropriate WebSphere Application Server fix based on the version being used for IBM Emptoris product version. The following table lists the IBM Emptoris application versions along with the corresponding required version of IBM WebSphere Application Server and a link to the corresponding fix version where further installation instructions are provided. \n \n\n\n**Emptoris Product Version**\n\n| \n\n**WAS Version**\n\n| \n\n**Java Version**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n9.5.x.x| \n\n8.0.0.x\n\n| \n\nJava 6\n\n| Apply Interim Fix [_PI80736_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043640>) \n10.0.0.x, 10.0.1.x| \n\n8.5.0.x\n\n| \n\nJava 6\n\n| Apply Interim Fix[_ PI80734_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043636>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24043321>) \n10.0.2.x , 10.0.4| \n\n8.5.5.x\n\n| \n\nJava 6 \n \n10.1.x| \n\n8.5.5.x\n\n| \n\nJava 7\n\n| Apply Interim Fix [_PI80733_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043628>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Platform\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRER\",\"label\":\"Emptoris Program Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR8W\",\"label\":\"Emptoris Sourcing\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQAR\",\"label\":\"Emptoris Spend Analysis\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRC7\",\"label\":\"Emptoris Supplier Lifecycle Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:10:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3511"], "modified": "2018-06-16T20:10:13", "id": "24BEC163EA3BD84B7E22E782C3DC394F6DF7C93AF1345B97BF7B378DB6C0978E", "href": "https://www.ibm.com/support/pages/node/562289", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:39:02", "description": "## Summary\n\nMultiple security vulnerabilities exist in the IBM\u00ae Runtime Environment Java\u2122 Technology Edition Version 6 Service Refresh 16 Fix Pack 41 and earlier releases used by WebSphere Message Broker, and the IBM\u00ae Runtime Environment Java\u2122 Technology Edition Version 7 Service Refresh 10 Fix Pack 1 and earlier releases used by WebSphere Message Broker and IBM Integration Bus, and the IBM\u00ae Runtime Environment Java\u2122 Technology Edition Version 7R1 Service Refresh 4 Fix Pack 1 and earlier releases used by IBM Integration Bus. These issues were disclosed as part of the IBM Java SDK updates in April 2017. WebSphere Message Broker and IBM Integration Bus have addressed the applicable CVEs\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the \u201cIBM Java SDK Security Bulletin\u201d, located in the References section for more information. \n \n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Integration Bus V10.0.0.0- 10.0.0.8 \n\nIBM Integration Bus V9.0.0.0- 9.0.0.7\n\nWebSphere Message Broker V8.0.0.0 - 8.0.0.8\n\n## Remediation/Fixes\n\n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nIBM Integration Bus| V10.0.0.0- 10.0.0.8| IT20410 | The APAR is available in fix pack 10.0.0.9 (on all platforms except HP) \n\n<http://www-01.ibm.com/support/docview.wss?uid=swg24043686> \n \nIBM Integration Bus| V9.0.0.0- 9.0.0.7| IT20410 | The APAR is available in fix pack 9.0.0.8 (on all platforms except HP) \n\n<http://www-01.ibm.com/support/docview.wss?uid=swg24043751> \n \nWebSphere Message Broker| V8.0.0.0 - 8.0.0.8| IT20410 | The APAR is available in fix pack 8.0.0.9 (on all platforms except HP) \n\n[https://www.ibm.com/support/docview.wss?uid=swg24043806 ](<https://www.ibm.com/support/docview.wss?uid=swg24043806>) \n \n \n \n_For unsupported versions of the product IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \nThe planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at : \n[http://www.ibm.com/support/docview.wss?uid=swg27006308 ](<http://www.ibm.com/support/docview.wss?uid=swg27006308>) \n\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-23T20:41:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3511"], "modified": "2020-03-23T20:41:52", "id": "897BD3B4F1AAC6EED08738625EBD9E80E8717A8D987B96413DF479B6723EAE04", "href": "https://www.ibm.com/support/pages/node/563723", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:49", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 6, 7 and 8 that are used by IBM MQ. These issues were disclosed as part of the Java SDK updates from IBM in April 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the Java runtime environment from IBM delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the \u201cIBM Java SDK Security Bulletin\u201d, located in the References section for more information. \n \n\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3533_](<https://vulners.com/cve/CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**_IBM MQ 9.0.0.x Long Term Support (LTS)_** \nMaintenance level 9.0.0.0 only for HP-UX and Solaris \nMaintenance levels 9.0.0.0 and 9.0.0.1 for Windows, Linux and AIX \n \n**_IBM MQ 9.0.x Continuous Delivery Release (CDR)_** \nContinuous delivery update 9.0 and 9.0.2 \n \n**_IBM MQ Appliance 9.0.x_** \nUpdate 9.0.1 and 9.0.2 \n\n * **_IBM MQ 8.0_** \nMaintenance levels between 8.0.0.0 and 8.0.0.6 \n \n**_IBM MQ Appliance 8.0_** \nMaintenance levels between 8.0.0.0 and 8.0.0.6 \n \n**_WebSphere MQ 7.5_** \nMaintenance levels between 7.5.0.0 and 7.5.0.7 \n \n**_WebSphere MQ 7.1_** \nMaintenance levels between 7.1.0.0 and 7.1.0.8 \n\n## Remediation/Fixes\n\n**_IBM MQ 9.0.0.0_** \nApply [fixpack 9.0.0.1](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.1&platform=All&function=all&useReleaseAsTarget=true>) for HP-UX and Solaris \nApply [fixpack 9.0.0.2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.2&platform=All&function=all&useReleaseAsTarget=true>) for Windows, Linux and AIX \n \n**_IBM MQ 9.0, 9.0.2 and IBM MQ Appliance 9.0.x_** \nUpgrade to [IBM MQ 9.0.3](<http://www-01.ibm.com/support/docview.wss?uid=swg24043697>) \n \n**_IBM MQ V8.0 & IBM MQ Appliance V8.0_** \nApply fix pack [8.0.0.7](<http://www-01.ibm.com/support/docview.wss?uid=swg21995100>) or later maintenance \n \n**_WebSphere MQ 7.5_** \nApply fix pack [7.5.0.8](<http://www-01.ibm.com/support/docview.wss?uid=swg22005413>) \n \n**_WebSphere MQ 7.1_** \nApply iFix [IT20034](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=7.1&platform=All&function=aparId&apars=IT20034>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:42", "type": "ibm", "title": "Security Bulletin: A vulnerability in Java runtime from IBM affects IBM WebSphere MQ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3511", "CVE-2017-3533"], "modified": "2018-06-15T07:07:42", "id": "6B9292518BB2DE690D288915563E761BAAA1EBD5DD0ABEDA82AB1A2A27ECC59E", "href": "https://www.ibm.com/support/pages/node/563365", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:51:57", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 that is used by IBM Systems Director. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nFrom the IBM System Director command line enter smcli lsver to determine the level of IBM System Director installed. \n \nIBM Systems Director: \n\n\n * 6.1.0.0\n * 6.1.0.1\n * 6.1.0.2\n * 6.1.0.3\n * 6.1.1.1\n * 6.1.1.2\n * 6.1.1.3\n * 6.1.2.0\n * 6.1.2.1\n * 6.1.2.2\n * 6.1.2.3\n * 6.2.0.0\n * 6.2.0.1\n * 6.2.0.2\n * 6.2.1.0\n * 6.2.1.0\n * 6.2.1.1\n * 6.2.1.2\n * 6.3.0.0 \n * 6.3.1.0 \n * 6.3.1.1 \n * 6.3.2.0 \n * 6.3.2.1 \n * 6.3.2.2 \n * 6.3.3.0 \n * 6.3.3.1 \n * 6.3.5.0 \n * 6.3.6.0\n * 6.3.7.0\n\n## Remediation/Fixes\n\nIBM Systems Director version pre 6.3.5 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product. \n\n\nFollow the instructions mentioned in Technote [823714366](<http://www-01.ibm.com/support/docview.wss?uid=nas7b960420ee4f31d3c8625816b005ce8de>) to apply the fix for releases:\n\n * 6.3.5.0\n * 6.3.6.0\n * 6.3.7.0\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T01:37:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3539"], "modified": "2018-06-18T01:37:42", "id": "19A64FA95A7399923972AF11D00347F8B583B858F1E49BDAEB233B18EF1C6AD1", "href": "https://www.ibm.com/support/pages/node/631875", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:41:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7.1 that is used by IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2, and v5.0.2. The issues were disclosed as part of the IBM Java SDK updates in Apr 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3539_](<https://vulners.com/cve/CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Application Delivery Intelligence 1.0.1, 1.0.1.1, 1.0.2, and 5.0.2\n\n## Remediation/Fixes\n\nCustomers need to perform the following steps to apply the fix: \n \n1\\. Stop the server. Navigate to the _unzipped-archive/adi/server_ directory and run this script: _server.shutdown._ \n2\\. Delete jre directory from _unzipped-archive/server/jre._ \n3\\. Download _ibm-java-jre-7.1-4.5_, unzip it and copy the jre directory to _unzipped-archive/server_ (you are providing the jre directory that you deleted in step 2). \n \nDownload links: \n \n**Windows:** \n`[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-7.1-4.5-win-x86_64&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-7.1-4.5-win-x86_64&source=SAR>)` \n \n**Linux:** \n`[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-7.1-4.5-linux-x86_64&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-7.1-4.5-linux-x86_64&source=SAR>)`\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2 and v5.0.2. (CVE-2017-3539, CVE-2016-9840, CVE-2016-9841,CVE-2016-9842, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3539"], "modified": "2018-08-03T04:23:43", "id": "8A3D1FB34A9203E75C1042FBE52CBB4D2871AD957405E4A8E5787376E2F41ED4", "href": "https://www.ibm.com/support/pages/node/563749", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:22", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8, Service Refresh 4, Fix Pack 1 used by IBM Streams. IBM Streams has addressed the applicable CVEs. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe following versions may be impacted: \n\n * IBM Streams Version 4.2.1.1 and earlier\n * IBM InfoSphere Streams Version 4.1.1.4 and earlier\n * IBM InfoSphere Streams Version 4.0.1.4 and earlier\n * IBM InfoSphere Streams Version 3.2.1.6 and earlier\n * IBM InfoSphere Streams Version 3.1.0.8 and earlier \n * IBM InfoSphere Streams Version 3.0.0.6 and earlier \n\n## Remediation/Fixes\n\n**NOTE:** Fix Packs are available on IBM Fix Central. \n \nTo remediate/fix this issue, follow the instructions below: \n\n\n * Version 4.2.x: Apply [4.2.1 Fix Pack 2 (4.2.1.2) or higher](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.2.1.0&platform=All&function=all>).\n * Version 4.1.x: Apply [4.1.1 Fix Pack 5 (4.1.1.5) or higher](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.1.1.0&platform=All&function=all>).\n * Version 4.0.x: Apply [4.0.1 Fix Pack 5 (4.0.1.5) or higher](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.0.1.0&platform=All&function=all>).\n * Versions 3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.x.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:50:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Streams", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289"], "modified": "2018-06-16T13:50:00", "id": "E301E0519734937AC59DD72B2C32645B675CAAE314FC5B9203ADEB4F826A3B93", "href": "https://www.ibm.com/support/pages/node/565991", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:50:08", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition, Version 7 used by IBM Fabric Manager. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n**Summary**\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 used by IBM Fabric Manager. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n**Vulnerability Details:**\n\n**CVEID:** [CVE-2017-1289](<https://vulners.com/cve/CVE-2017-1289>)\n\n**Description:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.\n\nCVSS Base Score: 8.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125150> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**Affected Products and Versions**\n\nProduct | Affected Version \n---|--- \nIBM Fabric Manager | 4.1 \n \n**Remediation/Fixes:**\n\nProduct | Fix Version \n---|--- \nIBM Fabric Manager \n(ibm_sw_ifm-4.1.09.0054_windows_32-64.exe) \n(ibm_sw_ifm-4.1.09.0054_linux_32-64.bin) | 4.1.09.0054 \n \n**Workaround(s) & Mitigation(s):**\n\nNone\n\n**References:**\n\n * [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide.html>)\n * [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>)\n * [IBM Java SDK Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21997194>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Lenovo Product Security Advisories](<https://support.lenovo.com/us/en/product_security/home>)\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n23 May 2017: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289"], "modified": "2019-01-31T02:25:02", "id": "E2B6332D131E92F00335E072DD2A0EE059481E0A2714FCB41E993B0CDB050618", "href": "https://www.ibm.com/support/pages/node/868720", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:48:27", "description": "## Summary\n\nJazz Team Server is shipped as a component of Jazz Reporting Service (JRS). Information about multiple security vulnerabilities affecting Jazz Team Server and Jazz-based products has been published in a security bulletin. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3511](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nJRS 5.0, 5.0.1, 5.0.2| Jazz Foundation 5.0, 5.0.1, 5.0.2 \nJRS 6.0, 6.0.1, 6.0.2, 6.0.3| Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3 \n* Both JRS and Jazz Foundation are part of Rational Collaborative Lifecycle Management. \n\n## Remediation/Fixes\n\nConsult the security bulletin [Security Bulletin: Vulnerability in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology](<http://www-01.ibm.com/support/docview.wss?uid=swg22004599>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:22:19", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3511"], "modified": "2018-06-17T05:22:19", "id": "2F9B8E7CD04F88375E7DA644A637018DCE889D492AB253B36AAC20CA2B0659B3", "href": "https://www.ibm.com/support/pages/node/562985", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:37:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java Technology Edition, Version 1.6 and 1.7 that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). These issues were disclosed as part of the IBM Java SDK updates in April 2017. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n** ** \n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 4.0 - 6.0.3 \n \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.3 \n \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.3 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.3 \n \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.3 \n \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.3 \n \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.3\n\n## Remediation/Fixes\n\n**IMPORTANT CONSIDERATIONS:** \n\n\n 1. If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of your IBM Rational product, and only upgrade the JRE in the WAS server.\n 2. For the below remediations, if you are a WAS deployment, then WAS must also be remediated, in addition to performing your product upgrades. Follow instructions at [ Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server April 2017 CPU](<http://www.ibm.com/support/docview.wss?uid=swg22003016>) to get the WAS remediation . \nIf you are deploying the Rational products to a WAS Liberty or a Tomcat Server, you will need to follow the instructions below to upgrade the JRE, and then must also configure to complete the upgrade process: \n \n3.1. **Stop the server**: Navigate to the Server directory in your Ratonal product installation path and run this script: _server.shutdown_ \n \n3.2. Navigate to the server directory in your Rational product installation path, open **_server.startup_**_ _script using prefered text editor (e.g., Notepad for Windows or Vim Editor for Linux) and add one more option to the healthcenter parameter set: \n\n\nSearch parameter _-Dcom.ibm.java.diagnostics.healthcenter.agent_ in server.startup script to find the line containing the health center parameter. \n \nNOTE: For some Rational Collaborative Lifecycle Management versions,_ -Dcom.ibm.java.diagnostics.healthcenter.agent_ parameter may not be found in the server.startup, in this case the update is not needed and you can start using your server. ** \nWindows:** \nModify the line (where HEALTHCENTER_OPTS parameter located) by adding a new healthcenter option: _ \n-Dsun.rmi.registry.registryFilter=javax.rmi.CORBA.Stub_ \n \n**_Before modification:_**_ \nset HEALTHCENTER_OPTS=-agentlib:healthcenter -Dcom.ibm.java.diagnostics.healthcenter.agent.port=1972 \n_**_After modification:_**_ \nset HEALTHCENTER_OPTS=-agentlib:healthcenter -Dcom.ibm.java.diagnostics.healthcenter.agent.port=1972 -Dsun.rmi.registry.registryFilter=javax.rmi.CORBA.Stub_ \n** \nLinux:** \nModify the line (where HEALTHCENTER_OPTS parameter located) by adding a new healthcenter option: _-Dsun.rmi.registry.registryFilter=javax.rmi.CORBA.Stub_ \n \n**_Before modification:_**_ \nexport HEALTHCENTER_OPTS=\"-agentlib:healthcenter -Dcom.ibm.java.diagnostics.healthcenter.agent.port=1972\" \n_**_After modification:_**_ \nexport HEALTHCENTER_OPTS=\"-agentlib:healthcenter -Dcom.ibm.java.diagnostics.healthcenter.agent.port=1972 -Dsun.rmi.registry.registryFilter=javax.rmi.CORBA.Stub\"_ \n3.3. **Start the server**. Navigate to the Server directory in your Rational product installation path and run this script: _server.startup. _ \n \n**STEPS TO APPLY THE REMEDIATION:** \n_ _ \n1\\. Upgrade your products to a supported version:** 4.0.7**, **5.0.2**, **6.0.2, or 6.0.3** \n2\\. Apply the latest ifix for your installed version. \n3\\. Obtain the April 2017 CPU update for the IBM_\u00ae_ Java SDK. \n \nBased on version installed, obtain the latest ifixes (recommended), and the below indicated java from: \nFor the 6.0.3 releases: **JRE 7.1.4.5** **_(<product>-JavaSE-JRE-7.1SR4FP5_**) \n\n * [_Rational Collaborative Lifecycle Management 6.0.3_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.3&platform=All&function=all>)\n * [_Rational Team Concert 6.0.3_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.3&platform=All&function=all>)\n * [_Rational Quality Manager 6.0.3_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.3&platform=All&function=all>)\n * [_Rational DOORS Next Generation 6.0.3_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.3&platform=All&function=all>)[](<https://jazz.net/downloads/design-management/releases/5.0>)[](<https://jazz.net/downloads/design-management/releases/5.0>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.3 and install server and JRE from [_CLM 6.0.3_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.3&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.3 and install server and JRE from [_CLM 6.0.3_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.3&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.3 and install server and JRE from [_CLM 6.0.3_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.3&platform=All&function=all>)\n \nFor the 6.0.2 releases: **JRE 7.1.4.5** **_(<product>-JavaSE-JRE-7.1SR4FP5_**) \n\n * [_Rational Collaborative Lifecycle Management 6.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n * [_Rational Team Concert 6.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.2&platform=All&function=all>)\n * [_Rational Quality Manager 6.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.2&platform=All&function=all>)\n * [_Rational DOORS Next Generation 6.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.2&platform=All&function=all>)[](<https://jazz.net/downloads/design-management/releases/5.0>)[](<https://jazz.net/downloads/design-management/releases/5.0>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server and JRE from [_CLM 6.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server and JRE from [_CLM 6.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server and JRE from [_CLM 6.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n * For the 5.x releases: **JRE 6.0.16.45 ****_(<product>-JavaSE-JRE-6.0SR16FP45_**) \n\n * [_Rational Collaborative Lifecycle Management 5.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=5.0.2&platform=All&function=all>)\n * [_Rational Team Concert 5.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=5.0.2&platform=All&function=all>)\n * [_Rational Quality Manager 5.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=5.0.2&platform=All&function=all>)\n * [_Rational DOORS Next Generation 5.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=5.0.2&platform=All&function=all>)[](<https://jazz.net/downloads/design-management/releases/5.0>)[](<https://jazz.net/downloads/design-management/releases/5.0>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 5.0.2 and install server and JRE from [_CLM 5.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=5.0.2&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 5.0.2 and install server and JRE from [_CLM 5.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=5.0.2&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 5.0.2 and install server and JRE from [_CLM 5.0.2_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=5.0.2&platform=All&function=all>)\n_ \n_For the 4.x releases: **JRE 6.0.16.45 ****_(<product>-JavaSE-JRE-6.0SR16FP45_**) \n\n * [_Rational Collaborative Lifecycle Management 4.0.7_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=4.0.7&platform=All&function=all>)\n * [_Rational Team Concert 4.0.7_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=4.0.7&platform=All&function=all>)\n * [_Rational Quality Manager 4.0.7_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FRational&product=ibm/Rational/Rational+Quality+Manager&release=4.0.7&platform=All&function=all>)\n * [_Rational DOORS Next Generation/Requirements Composer 4.0.7_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=4.0.7&platform=All&function=all>)\n * Rational Software Architect Design Manager: _ _Upgrade to version 4.0.7 and install server and JRE from [_CLM 4.0.7_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=4.0.7&platform=All&function=all>)\n * Rational Rhapsody Design Manager: Upgrade to version 4.0.7 and install server and JRE from [_CLM 4.0.7_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=4.0.7&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager: Upgrade to version 4.0.7 and install server and JRE from [_CLM 4.0.7_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=4.0.7&platform=All&function=all>)\n * 4\\. Upgrade your JRE following the instructions in the link below: \n[_How to update the IBM SDK for Java of IBM Rational products based on version 3.0.1.6 or later of IBM's Jazz technology_](<http://www.ibm.com/support/docview.wss?uid=swg21674139>) \n \n5\\. Navigate to the server directory in your Rational product installation path, and go to jre/lib/security path. \n \n6\\. Open **_java.security_**_ _ file using prefered text editor (e.g., Notepad for Windows or Vim Editor for Linux) and remove MD5 option from the jdk.jar.disabledAlgorithms parameter set: \n\n\n**_Before modification:_** \njdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 \n \n**_After modification:_** \njdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3511"], "modified": "2021-04-28T18:35:50", "id": "13B56D8C0FB1D8138F3B83A754F566044FC0E8E777475654B6FB56B4D638D131", "href": "https://www.ibm.com/support/pages/node/562543", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:26", "description": "## Summary\n\nzlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \n\n## Vulnerability Details\n\n**CVE IDs: **CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 \n \n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM SPSS Analytic Server 2.0.1.0 \nIBM SPSS Analytic Server 2.0.0.0\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 50 and subsequent releases. \n\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:48:22", "type": "ibm", "title": "Security Bulletin: zlib vulnerability may affect IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T13:48:22", "id": "6C5CA7A0756525376C7822618AC97C4C45E220AEABF472D45F8EB40E1DAA2ECD", "href": "https://www.ibm.com/support/pages/node/562329", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:06:28", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 7, 7R1 and 8 used by IBM MessageSight. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the \u201cIBM Java SDK Security Bulletin\u201d, located in the References section for more information. \n \n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM MessageSight\n\n| v2.0 - 2.0.0.1 \n---|--- \nIBM MessageSight| v1.2 - 1.2.0.3 \nIBM MessageSight| v1.1 - 1.1.0.1 \n \n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM MessageSight_| \n\n_2.0_\n\n| \n\n_IT20660_\n\n| \n\n[_2.0.0.1-IBM-IMA-IF__IT20660_](<http://www.ibm.com/support/docview.wss?uid=swg22004204>) \n \n_IBM MessageSight_| \n\n_1.2_\n\n| \n\n_IT20660_\n\n| \n\n[_1.2.0.3-IBM-IMA-IF__IT20660_](<http://www.ibm.com/support/docview.wss?uid=swg22004281>) \n \n_IBM MessageSight_| \n\n_1.1_\n\n| \n\n_IT20660_\n\n| \n\n_1.1.0.1-IBM-IMA-IF__IT20660_ \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\nMarch 29, 2018\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSCGGQ\",\"label\":\"IBM MessageSight\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"1.1;1.2;2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:40:33", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T15:40:33", "id": "44FD06DF739AE850EF4B0FD8EDFD9F3CA1D49EF6D12D841D2F929127DE9A82D8", "href": "https://www.ibm.com/support/pages/node/560997", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:41:21", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8.0.4.2 and earlier used by Rational Asset Analyzer. Rational Asset Analyzer has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nRational Asset Analyzer 6.1.x.x\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Rational Asset Analyzer_| _6.1.x.x_| \n| [_Upgrade to Fixpack 14_](<http://www-01.ibm.com/support/docview.wss?uid=swg27021389>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-08-03T04:23:43", "id": "33998453A003DBEE91ADD9693A86AFA03B4197141BC03C7326ABC834DD122179", "href": "https://www.ibm.com/support/pages/node/560751", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:38:38", "description": "## Summary\n\nVulnerabilities were reported in zlib. zlib is used by IBM Sterling Connect:Direct FTP+. IBM Sterling Connect:Direct FTP+ has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n \n \n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct FTP+ 1.3.0 \nIBM Sterling Connect:Direct FTP+ 1.2.0\n\n## Remediation/Fixes\n\n**V.R.M.F**\n\n| **APAR**| **Remediation/First Fix** \n---|---|--- \n1.3.0| IT21636| Apply 1.3.0 Fix007, available on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+FTP+Plus&release=1.3.0.0&platform=All&function=fixId&fixids=1.3.0*iFix007*&includeSupersedes=0>). \n1.2.0| IT21636| Apply 1.2.0 Fix008, available on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+FTP+Plus&release=1.2.0.0&platform=All&function=fixId&fixids=1.2.0*iFix008*&includeSupersedes=0>). \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T22:49:37", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in zlib affect IBM Sterling Connect:Direct FTP+ (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2020-07-24T22:49:37", "id": "4E6CB74FB7D203CB1C470A05E770CBD3E765AE50F7B3C4E134920903F84E879E", "href": "https://www.ibm.com/support/pages/node/565771", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:38:27", "description": "## Summary\n\nVulnerabilities were reported in zlib. zlib is used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct for Microsoft Windows 4.6.0.0 through 4.6.0.6_iFix014 \nIBM Sterling Connect:Direct for Microsoft Windows 4.7.0.0 through 4.7.0.4_iFix026\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM Sterling Connect:Direct for Microsoft Windows| 4.6.0| [IT19769](<http://www.ibm.com/support/docview.wss?uid=swg1IT19769>)| Apply 4.6.0.6_iFix015, available on [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Sterling+Connect%3ADirect+for+Microsoft+Windows&release=4.6.0.6&platform=All&function=aparId&apars=IT19769>) \nIBM Sterling Connect:Direct for Microsoft Windows| 4.7.0| [IT19769](<http://www.ibm.com/support/docview.wss?uid=swg1IT19769>)| Apply 4.7.0.5, available on [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Sterling+Connect%3ADirect+for+Microsoft+Windows&release=4.7.0.5&platform=All&function=aparId&apars=IT19769>) \n_For older versions/releases IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T22:19:08", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in zlib affect IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2020-07-24T22:19:08", "id": "0934C1352C5406475AA8AB9609B9D4DCFCFF7F2AEDF9E98A07D0478988A7A0A6", "href": "https://www.ibm.com/support/pages/node/294677", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:36:10", "description": "## Summary\n\nzlib compression library is vulnerable to a denial of service attack. \nBy persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**IBM Common Inventory Technology** **v2.x**\n\n## Remediation/Fixes\n\nUpgrade IBM Common Inventory Technology (CIT) to version 2.8.0.4000 (or later) which is shipped with IBM BigFix Inventory or IBM License Metric Tool 9.2.8 fixlet site content: \n\n * In IBM BigFix Console, expand **IBM License Reporting** or **IBM BigFix Inventory** node under **Sites** node in the tree panel. \n * Click **Fixlets and Tasks** node.\n * In the **Fixlets and Tasks** panel locate _Install or Upgrade Scanner_ fixlet and run it against the computer that hosts IBM Common Inventory Technology component.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T23:53:56", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in zlib affects IBM Common Inventory Technology (CIT)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2022-08-19T23:53:56", "id": "98F6490D4B8AE15246447D15D378CC7551E1EE4AAF47318A1862E455782A2AA6", "href": "https://www.ibm.com/support/pages/node/564493", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:59", "description": "## Summary\n\nThere are multiple vulnerabilities in zlib that is used by IBM Tivoli Composite Application Manager for Transactions.\n\n## Vulnerability Details\n\n**Relevant CVE Information:** \n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager (ITCAM) for Transactions: Versions 7.4 is affected.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Composite Application Manager for Transactions (Internet Service Monitoring)| _7.4_| \n| [http://www-01.ibm.com/support/docview.wss?uid=isg400003327](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003327>) \nIBM Tivoli Composite Application Manager for Transactions (Response Time)| _7.4_| \n| [http://www-01.ibm.com/support/docview.wss?uid=isg400003181](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003181>) \nIBM Tivoli Composite Application Manager for Transactions (Transaction Tracking)| _7.4_| \n| [_http://www-01.ibm.com/support/docview.wss?uid=isg400003496_](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003496>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:37:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in zlib affect IBM Tivoli Composite Application Manager for Transactions (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T15:37:00", "id": "C78E313156769242854AA6E673C6EC4AC033D53D999E2BFD8BB6310088D89BA1", "href": "https://www.ibm.com/support/pages/node/293031", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:54", "description": "## Summary\n\nThe gz feature, provided by the open source zlib, is used to decompress files automatically. A denial of service may be caused by four potential vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM ILOG CPLEX Optimization Studio (COS) v12.7 and earlier \nIBM ILOG CPLEX Enterprise Server (CES) v12.7 and earlier\n\n## Remediation/Fixes\n\nPlease upgrade to IBM ILOG CPLEX Optimization Studio v12.7.1 in which the problem is fixed. \n\n\n## Workarounds and Mitigations\n\nThe workaround is to stop using the gz feature. You will need to decompress model files before trying to solve them with IBM ILOG CPLEX Optimization Studio. The gz feature is optional and not required for solving mathematical problems.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:45:40", "type": "ibm", "title": "Security Bulletin: Mutiple vulnerabilities in zlib affect IBM ILOG CPLEX Optimization Studio", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T13:45:40", "id": "0523FF3F956DB287969101421EBAC9414833A03BB2D6A69218EF5788A0017EF7", "href": "https://www.ibm.com/support/pages/node/290667", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:07", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 1.8.0 used by IBM Support Assistant Team Server. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n** **\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Support Assistant Team Server version 5.0.0 - 5.0.2.4\n\n## Remediation/Fixes\n\nThe recommended solution is to install the new IBM Support Assistant Team Server 5.0.2.5. \n** \n**For V5.0.0 through 5.0.2.4 IBM recommends upgrading to [_IBM Support Assistant Team Server 5.0.2.5_](<http://www.ibm.com/software/support/isa/teamserver.html>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:08:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Support Assistant Team Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-15T07:08:34", "id": "8D3956B91BC1A4130CF4694F32CFB0D3E54127B086F2B460888432C4B1F84573", "href": "https://www.ibm.com/support/pages/node/300787", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:42", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Versions 6, 7 and 8 used by IBM ILOG CPLEX Optimization Studio. These issues were disclosed as part of the IBM Java SDK updates in October 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM ILOG CPLEX Optimization Studio v12.8 and earlier\n\n## Remediation/Fixes\n\nFrom v12.4 to v12.5.1: \n[IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 55](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+CPLEX+Optimization+Studio&release=All&platform=All&function=fixId&fixids=JRE6sr16fp55-DO-COS-*&includeSupersedes=0>) and subsequent releases \n \nFrom v12.6 to v12.6.3: \n[IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 15](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+CPLEX+Optimization+Studio&release=All&platform=All&function=fixId&fixids=JRE7sr10fp15-DO-COS-*&includeSupersedes=0>) and subsequent releases \n \nFrom v12.7: \n[IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 5](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+CPLEX+Optimization+Studio&release=All&platform=All&function=fixId&fixids=JRE8sr5fp5-DO-COS-*&includeSupersedes=0>) and subsequent releases \n \n \nThe recommended solution is to download and install the appropriate version of IBM JRE as soon as practicable. \n\n\n * Before installing a newer version of IBM JRE, please ensure that you:\n * Close any open programs that you may have running;\n * Rename the initial directory of the IBM JRE (for example: with a .old at the end),\n * Download and install the appropriate IBM JRE version.\n \n[Here are the detailed instructions](<http://www.ibm.com/support/docview.wss?uid=swg21691504>) for updating IBM JRE. \n \nYou must verify that applying this fix does not cause any compatibility issues. \n \n_For HP-UX, MacOS and Solaris, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T14:18:08", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T14:18:08", "id": "5044E5293B9754C69B0891B3588C7B4821905631CB104EB9A444E8BFACEE0DDE", "href": "https://www.ibm.com/support/pages/node/300311", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:42", "description": "## Summary\n\nDb2 is affected by vulnerabilities in IBM\u00ae JDK. This only affects customers using Integrated Text Search. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAll fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 editions on all platforms are affected. \n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \nThe fix for this vulnerability is in latest version of IBM JDK. Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1, V10.5 or V11.1 can download the latest version of IBM JDK from [Fix Central ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=*java*&includeSupersedes=0>) \n \nAffected IBM Releases: \n\n * 6.0.16.41 and earlier\n * 6.1.8.41 and earlier\n * 7.0.10.1 and earlier\n * 7.1.4.1 and earlier\n * 8.0.4.2 and earlier\n \nFixed IBM Releases: \n\n * 6.0.16.45\n * 6.1.8.45\n * 7.0.10.5\n * 7.1.4.5\n * 8.0.4.5\n \nRefer to the table below to determine the IBM JDK level that contains the fix. Then follow the instructions below to perform the JDK installation. \n\n\n \n**Db2 Release**| **Fixed IBM Release** \n---|--- \n** V9.7.x**| 6.0.16.45 or later \n** V10.1.x**| 7.0.10.5 or later \n** V10.5.x**| 7.0.10.5 or later (6.0.16.45 or later for LinuxIA64) \n** V11.1.x**| 8.0.4.5 or later \n \nInstructions for IBM JDK Installation can be found here: \n<http://www-01.ibm.com/support/docview.wss?uid=swg27050993> \n\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T14:17:49", "type": "ibm", "title": "Security Bulletin: IBM\u00ae Db2\u00ae is affected by vulnerabilities in the IBM\u00ae SDK, Java Technology Edition Quarterly Critical Patch Updates (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T14:17:49", "id": "EC8B2A4CDBFA6EBDE382A53216DCC70855E8F3C2F95899FBF2F80922B646C764", "href": "https://www.ibm.com/support/pages/node/299195", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:41:05", "description": "## Summary\n\nIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is affected by vulnerabilities in zlib. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAll fix pack levels and editions of IBM DB2 V9.7, V10.1, V10.5 and V11.1 on all platforms are affected.\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \n**FIX:** \n \nThe fix for DB2 V11.1.1 is in V11.1.2 FP2, available for download from [Fix Central](<http://www-01.ibm.com/support/docview.wss?uid=swg24043789>). \n \nCustomers running any vulnerable fixpack level of an affected Program, V9.7, V10.1 and V10.5 can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.7 FP11, V10.1 FP6 and V10.5 FP8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. \n\n\n**Release** | **Fixed in fix pack** | **APAR** | **Download URL** \n---|---|---|--- \nV9.7 | TBD | [IT19129](<http://ww-01.ibm.com/support/docview.wss?uid=swg1IT19129>) | Special Build for V9.7 FP11: \n\n * [AIX 64-bit](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-aix64-universal_fixpack-9.7.0.11-FP011%3A295420436839289984&includeSupersedes=0>) \n[HP-UX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-hpipf64-universal_fixpack-9.7.0.11-FP011%3A559118548880344640&includeSupersedes=0>) \n[Linux 32-bit, x86-32](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-linuxia32-universal_fixpack-9.7.0.11-FP011%3A493892676213928832&includeSupersedes=0>) \n[Linux 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-linuxx64-universal_fixpack-9.7.0.11-FP011%3A300382240411677696&includeSupersedes=0>) \n[Linux 64-bit, POWER\u2122 big endian](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-linuxppc64-universal_fixpack-9.7.0.11-FP011%3A514612211429849472&includeSupersedes=0>) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-linux390x64-universal_fixpack-9.7.0.11-FP011%3A951701924094309760&includeSupersedes=0>) \n[Solaris 64-bit, SPARC](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-sun64-universal_fixpack-9.7.0.11-FP011%3A217907730605394272&includeSupersedes=0>) \n[Solaris 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-sunamd64-universal_fixpack-9.7.0.11-FP011%3A933222080934747520&includeSupersedes=0>) \n[Windows 32-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-nt32-universal_fixpack-9.7.1100.352-FP011%3A409620038230767552&includeSupersedes=0>) \n[Windows 64-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36621_DB2-ntx64-universal_fixpack-9.7.1100.352-FP011%3A216382999286058976&includeSupersedes=0>) \nV10.1 | TBD | [IT20564](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT20564>) | Special Build for V10.1 FP6: \n\n * [AIX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-aix64-universal_fixpack-10.1.0.6-FP006%3A410039100857511488&includeSupersedes=0>) \n[HP-UX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-linuxppc64-universal_fixpack-10.1.0.6-FP006%3A508152866296274624&includeSupersedes=0>) \n[Linux 32-bit, x86-32](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-linuxia32-universal_fixpack-10.1.0.6-FP006%3A360605570796541120&includeSupersedes=0>) \n[Linux 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-linuxx64-universal_fixpack-10.1.0.6-FP006%3A900752905230254592&includeSupersedes=0>) \n[Linux 64-bit, POWER\u2122 big endian](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-linuxppc64-universal_fixpack-10.1.0.6-FP006%3A508152866296274624&includeSupersedes=0>) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-linux390x64-universal_fixpack-10.1.0.6-FP006%3A583888935220191872&includeSupersedes=0>) \n[Solaris 64-bit, SPARC](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-sun64-universal_fixpack-10.1.0.6-FP006%3A538238874510496128&includeSupersedes=0>) \n[Solaris 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-sunamd64-universal_fixpack-10.1.0.6-FP006%3A567367764137406080&includeSupersedes=0>) \n[Windows 32-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_36610_DSClients-nt32-odbc_cli-10.1.600.580-FP006%3A743621270518094848&includeSupersedes=0>) \n[Windows 64-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_36610_DB2-ntx64-universal_fixpack-10.1.600.580-FP006%3A746174255552998016&includeSupersedes=0>) \nV10.5 | FP9 | [IT20565](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT20565>) | <http://www-01.ibm.com/support/docview.wss?uid=swg24044110> \nV11.1.2 | FP2 | [IT20566](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT20566>) | <http://www-01.ibm.com/support/docview.wss?uid=swg24043789> \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-24T18:49:38", "type": "ibm", "title": "Security Bulletin: IBM\u00ae DB2\u00ae LUW on AIX and Linux Affected by vulnerabilities in zlib (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-08-24T18:49:38", "id": "341536E53F57185EA75D10127E60326F447DC0CEB3BD2529556523EE0CA51597", "href": "https://www.ibm.com/support/pages/node/562765", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:41:14", "description": "## Summary\n\nzlib vulnerabilities were disclosed in December 2016 by the zlib project. zlib is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM SDK for Node.js v4.8.0.0 and earlier releases. \nThese vulnerabilities affect IBM SDK for Node.js v6.10.1.0 and earlier releases.\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM SDK for Node.js v4.8.2.0 and subsequent releases. \nThe fixes for these vulnerabilities are included in IBM SDK for Node.js v6.10.2.0 and subsequent releases. \n \nIBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from [_here_](<https://developer.ibm.com/node/sdk/>). \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-09T04:20:36", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in zlib affect IBM\u00ae SDK for Node.js\u2122 (CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-08-09T04:20:36", "id": "45E5270A35561019D33445AEB6511C121125D7384B2D125E5311025EA1608937", "href": "https://www.ibm.com/support/pages/node/558017", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Versions 6, 7 and 8 used by IBM ILOG CPLEX Optimization Studio. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM ILOG CPLEX Optimization Studio v12.7.1 and earlier\n\n## Remediation/Fixes\n\nFrom v12.4 to v12.5.1: \n[IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 45](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+CPLEX+Optimization+Studio&release=All&platform=All&function=fixId&fixids=JRE6sr16fp45-DO-COS-*&includeSupersedes=0>) and subsequent releases \n \nFrom v12.6 to v12.6.3: \n[IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 5](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+CPLEX+Optimization+Studio&release=All&platform=All&function=fixId&fixids=JRE7sr10fp5-DO-COS-*&includeSupersedes=0>) and subsequent releases \n \nFrom v12.7: \n[IBM SDK, Java Technology Edition, Version 8 Service Refresh 4 Fix Pack 2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+CPLEX+Optimization+Studio&release=All&platform=All&function=fixId&fixids=JRE8sr4fp5-DO-COS-*&includeSupersedes=0>) and subsequent releases \n \n \nThe recommended solution is to download and install the appropriate version of IBM JRE as soon as practicable. \n\n\n * Before installing a newer version of IBM JRE, please ensure that you:\n * Close any open programs that you may have running;\n * Rename the initial directory of the IBM JRE (for example: with a .old at the end),\n * Download and install the appropriate IBM JRE version.\n \n[Here are the detailed instructions](<http://www.ibm.com/support/docview.wss?uid=swg21691504>) for updating IBM JRE. \n \nYou must verify that applying this fix does not cause any compatibility issues. \n \n_For HP-UX, MacOS and Solaris, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:48:04", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T13:48:04", "id": "44373FBC27AB2CB6A088179B907273AC0E340671DB1E50147770AD49071FDB60", "href": "https://www.ibm.com/support/pages/node/560597", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:25", "description": "## Summary\n\nThere are multiple vulnerabilities in the zlib component used by IBM SPSS Statistics Version 21, 22, 23, and 24.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM SPSS Statistics 21.0.0.2 \nIBM SPSS Statistics 22.0.0.2 \nIBM SPSS Statistics 23.0.0.3 \nIBM SPSS Statistics 24.0.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**APAR**\n\n| \n\n**Remediation/First Fix** \n \n---|---|---|--- \nIBM SPSS Statistics| 21.0.0.2| None| Install [_Statistics 21 FP002 IF012_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=all>) \nIBM SPSS Statistics| 22.0.0.2| None| Install [_Statistics 22 FP002 IF013_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=all>) \nIBM SPSS Statistics| 23.0.0.3| None| Install [_Statistics 23 FP003 IF006_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=all>) \nIBM SPSS Statistics| 24.0.0.1| None| Upgrade to [_24 FixPack 2_](<http://www.ibm.com/support/docview.wss?uid=swg24043574>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:48:03", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the zlib component affect IBM SPSS Statistics (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T13:48:03", "id": "9B50306B7A42F9EE61BFC96EB63947631A4C496BC5787819FEEB876B581172E8", "href": "https://www.ibm.com/support/pages/node/560449", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:26", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 and IBM\u00ae Runtime Environment Java\u2122 Versions 6 and 7 used by IBM Decision Optimization Center. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Decision Optimization Center v3.9 and earlier\n\n## Remediation/Fixes\n\n**IBM ILOG ODM Enterprise** \nFrom v3.6 to v3.7.0.2: [IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 45](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+Optimization+Decision+Manager&release=All&platform=All&function=fixId&fixids=SDK6sr16fp45-DO-ODME-*&includeSupersedes=0>) and subsequent releases \n \n \n**IBM Decision Optimization Center** \nFrom v3.8 to v3.8.0.1: [IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 45](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+Optimization+Decision+Manager&release=All&platform=All&function=fixId&fixids=SDK6sr16fp45-DO-DOC-*&includeSupersedes=0>) and subsequent releases \n \nFrom v3.8.0.2: [IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 5](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Decision%20Optimization&product=ibm/WebSphere/IBM+ILOG+Optimization+Decision+Manager&release=All&platform=All&function=fixId&fixids=SDK7sr10fp5-DO-DOC-*&includeSupersedes=0>) and subsequent releases \n \n \nThe recommended solution is to download and install the IBM Java SDK as soon as practicable. \n \nBefore installing a newer version of IBM Java SDK, please ensure that you: \n\n * Close any open programs that you have running;\n * Rename the initial directory of the IBM Java SDK (for example: with a .old at the end),\n * Download and install IBM Java SDK.\n \n[Here are the detailed instructions](<http://www.ibm.com/support/docview.wss?uid=swg21691505>) for updating IBM Java SDK. \n \nYou must verify that applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:48:03", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime IBM affect IBM Decision Optimization Center and IBM ILOG ODM Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T13:48:03", "id": "0717E67F851353A7B32370B5F1D4C4E25A578BB895F8C1C4225A6FE132C9B953", "href": "https://www.ibm.com/support/pages/node/560595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:27", "description": "## Summary\n\nVulnerabilities have been addressed in the open source zlib library component of IBM Data Server Driver Package and IBM Data Server Driver for ODBC and CLI.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe following editions are affected in fix pack V11.1 on all Platforms. \n\\- IBM Data Server Driver for ODBC and CLI \n\\- IBM Data Server Driver Package\n\n## Remediation/Fixes\n\nThe fix for this problem is available for IBM Data Server Driver Package and IBM Data Server Driver for ODBC and CLI in Db2 11.1.2.2 (Mod 2 fix pack 2) and later. \n\nRefer to the following chart to determine how to proceed to obtain a needed fixpack.\n\nProduct| VRMF| APAR| Remidiation/First Fix \n---|---|---|--- \nIBM Data Server Driver Package | DB2 11.1 Mod 2 Fix Pack 2 | Nil| [MacOS 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-macos-dsdriver-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n[Linux/390x 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=DSClients-linux390x64-dsdriver-11.1.2.2-FP002&continue=1>) \n[IBM Data Server Driver for ODBC, CLI, and .NET Merge Modules (Windows/x86-64 64 bit)](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-ntx64-dsdriver_mm-11.1.2020.1393-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Windows/x86-64 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-ntx64-dsdriver-11.1.2020.1393-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n[Windows/x86-32 32 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-nt32-dsdriver-11.1.2020.1393-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[IBM Data Server Driver for ODBC, CLI, and .NET Merge Modules (Windows/x86-32 32 bit)](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-nt32-dsdriver_mm-11.1.2020.1393-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Linux/ppc64 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linuxppc64le-dsdriver-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Linux/x86-32 32 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linuxia32-dsdriver-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Linux/x86-64 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linuxx64-dsdriver-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[AIX 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-aix64-dsdriver-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \nIBM Data Server Driver for ODBC and CLI (32 bit) | DB2 11.1 Mod 2 Fix Pack 2 | Nil| [Linux/390x 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linux390x64-odbc_cli_32-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[AIX 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-aix64-odbc_cli_32-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \nIBM Data Server Driver for ODBC and CLI (64 bit) | DB2 11.1 Mod 2 Fix Pack 2 | Nil| [Linux/390x 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FInformation%20Management&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linux390x64-odbc_cli-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Windows/x86-64 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FInformation%20Management&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-ntx64-odbc_cli-11.1.2020.1393-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Windows/x86-32 32 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FInformation%20Management&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-nt32-odbc_cli-11.1.2020.1393-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Linux/ppc64 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FInformation%20Management&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linuxppc64le-odbc_cli-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Linux/x86-32 32 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FInformation%20Management&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linuxia32-odbc_cli-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[Linux/x86-64 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FInformation%20Management&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-linuxx64-odbc_cli-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n[AIX 64 bit](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FInformation%20Management&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=11.1.*&platform=All&function=fixId&fixids=DSClients-aix64-odbc_cli-11.1.2.2-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:47:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in open source zlib library affect IBM Data Server Driver Package and IBM Data Server Driver for ODBC and CLI", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T13:47:55", "id": "4A6416B04B27CAE9B74C8389B6937654ABC0C93ECD59880E854D35DFBB680E0A", "href": "https://www.ibm.com/support/pages/node/559787", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:50:23", "description": "## Summary\n\nIBM BladeCenter Advanced Management Module (AMM) has addressed the following vulnerabilities in zlib.\n\n## Vulnerability Details\n\n**Summary**\n\nIBM BladeCenter Advanced Management Module (AMM) has addressed the following vulnerabilities in zlib.\n\n**Vulnerability Details**\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**Affected products and versions**\n\nProduct | Affected Version \n---|--- \nIBM BladeCenter Advanced Management Module (AMM) | BPET \n \n**Remediation/Fixes**\n\nFirmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/>\n\nProduct | Fixed Version \n---|--- \nIBM BladeCenter Advanced Management Module (AMM) \nibm_fw_amm_bpet68c-3.68c | BPET68C-3.68C \n \n**Workarounds and Mitigations**\n\nNone.\n\n**References**\n\n * [Complete CVSS V3 Guide](<http://www.first.org/cvss/user-guide>)\n * [On-line Calculator V3](<http://www.first.org/cvss/calculator/3.0>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Lenovo Product Security Advisories](<https://support.lenovo.com/us/en/product_security/home>)\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n02 June, 2017: Original Version Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in zlib affect IBM BladeCenter Advanced Management Module (AMM)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2019-01-31T02:25:02", "id": "20C703B7CDCCA5A0A98B08200BB477AC64A3F619D3845946502D223AF70C347D", "href": "https://www.ibm.com/support/pages/node/868716", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:50:59", "description": "## Summary\n\nIBM Chassis Management Module (CMM) has addressed the following vulnerabilities in zlib.\n\n## Vulnerability Details\n\n**Summary**\n\nIBM Chassis Management Module (CMM) has addressed the following vulnerabilities in zlib.\n\n**Vulnerability Details**\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [ https://exchange.xforce.ibmcloud.com/vulnerabilities/120508 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508%20for%20the%20current%20score>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [ https://exchange.xforce.ibmcloud.com/vulnerabilities/120509 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509%20for%20the%20current%20score>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [ https://exchange.xforce.ibmcloud.com/vulnerabilities/120510 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510%20for%20the%20current%20score>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)\n\n**Description:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.\n\nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**Affected products and versions**\n\nProduct | Affected Version \n---|--- \nIBM Flex System Chassis Management Module (CMM) | 2PET \n \n**Remediation/Fixes**\n\nFirmware fix versions are available on Fix Central: <http://www-ibm.com/support/fixcentral/>\n\nProduct | Fixed Version \n---|--- \nIBM Flex System Chassis Management Module (CMM) \n(ibm_fw_cmm_2pet14i-2.5.9i_anyos_noarch) | 2PET14I \n \n**Workarounds and Mitigations**\n\nNone.\n\n**References**\n\n * [Complete CVSS V3 Guide](<http://www.first.org/cvss/user-guide>)\n * [On-line Calculator V3](<http://www.first.org/cvss/calculator/3.0>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Lenovo Product Security Advisories](<https://support.lenovo.com/us/en/product_security/home>)\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n12 May, 2017: Original Version Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in zlib affect IBM Flex System Chassis Management Module (CMM)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2019-01-31T02:25:02", "id": "F641661E21DC52C52C7753E330747239ADDCF48A53F17E3324F87BAD27730520", "href": "https://www.ibm.com/support/pages/node/868684", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:40:14", "description": "## Summary\n\nOpen Source zlib is used by IBM Netezza SQL Extensions. IBM Netezza SQL Extensions has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-9840](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2016-9841](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n * IBM Netezza SQL Extensions 1.5.0.0 - 7.2.1.3\n\n## Remediation/Fixes\n\nTo resolve the reported CVEs for IBM Netezza SQL Extensions, please upgrade to the following version: \n\n_Product_| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Netezza SQL Extensions| 7.2.1.4| [_Link to Fix Central_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/Information+Management&product=ibm/Information+Management/Netezza+Applications&release=SQLEXT_7.2&platform=All&function=fixId&fixids=7.2.1.4-IM-Netezza-SQLEXT-fp117101>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-18T03:10:29", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Open Source zlib affect IBM Netezza SQL Extensions", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2019-10-18T03:10:29", "id": "9F3B15A9AE7651159C837CFA956A8CC8AD21BC8222D78C6F0BBC6EACD0C01634", "href": "https://www.ibm.com/support/pages/node/557505", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:40:37", "description": "## Summary\n\nOpen Source zlib is vulnerable to a denial of service. By persuading a user to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by out-of-bounds pointer arithmetic in inftrees.c. By persuading a user to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by out-of-bounds pointer arithmetic in inftrees.c. By persuading a user to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a user to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a user to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**_IBM WebSphere MQ V7.1_**\n\nIBM WebSphere MQ 7.1.0.0 - 7.1.0.8 maintenance levels\n\n**_IBM WebSphere MQ V7.5_**\n\nIBM WebSphere MQ 7.5.0.0 - 7.5.0.7 maintenance levels\n\n**_IBM MQ V8_**\n\nIBM MQ 8.0.0.0 - 8.0.0.6 maintenance levels\n\n**_IBM MQ Appliance V8_**\n\nIBM MQ Appliance 8.0.0.0 - 8.0.0.6 maintenance levels\n\n**_IBM MQ V9 LTS_**\n\nIBM MQ V9.0.0.0 only\n\n \n**_IBM MQ V9 CD_** \nIBM MQ V9.0.1 and V9.0.2 \n**_IBM MQ Appliance V9 CD_** \nIBM MQ Appliance V9.0.1 and V9.0.2 \n\n## Remediation/Fixes\n\n**_IBM WebSphere MQ V7.1_**\n\n[Apply Fix Pack 7.1.0.9](<http://www-01.ibm.com/support/docview.wss?uid=swg22010694>)\n\n**_IBM WebSphere MQ V7.5_**\n\n[Apply Fix Pack 7.5.0.8](<http://www-01.ibm.com/support/docview.wss?uid=swg22005413>)\n\n**_IBM MQ V8_**\n\n[Apply Fix Pack 8.0.0.7](<https://www-01.ibm.com/support/docview.wss?uid=swg22005832>)\n\n**_IBM MQ Appliance V8_**\n\n[Apply Fix Pack 8.0.0.7](<https://www-01.ibm.com/support/docview.wss?uid=swg22005832>) for MQ Appliance\n\n**_IBM MQ V9 LTS_**\n\n[Apply Fix Pack 9.0.0.1](<https://www-01.ibm.com/support/docview.wss?uid=swg24043467>)\n\n**_IBM MQ V9 CD_**\n\n[Upgrade to IBM MQ V9.0.3](<http://www-01.ibm.com/support/docview.wss?uid=swg24043697>)\n\n \n**_IBM MQ Appliance V9 CD_** \n[Upgrade to IBM MQ Appliance 9.0.3](<https://www-01.ibm.com/support/docview.wss?uid=swg24043697>)\n\n## Workarounds and Mitigations\n\n**_All Versions_**\n\nDisable Channel Compression\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-30T07:48:35", "type": "ibm", "title": "Security Bulletin: IBM MQ, IBM WebSphere MQ and IBM MQ Appliance Open Source zlib is vulnerable to a denial of service (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2019-08-30T07:48:35", "id": "21A707C4F4B958B1A4DB1ECF43E1ADC42D7405642B0C5DE65B99CFB5B62AAD83", "href": "https://www.ibm.com/support/pages/node/557943", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:47:56", "description": "## Summary\n\nSecurity Bulletin: Multiple vulnerabilities may affect IBM\u00ae SDK Java\u2122 Technology Edition Version 6, 7, 8 and IBM\u00ae Runtime Environment Java\u2122 Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation. \nJava SE issues disclosed in the Oracle April 2017 Critical Patch Update. \n\n\n## Vulnerability Details\n\nAdvisory CVEs: \nCVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 \n\n \nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2017 Critical Patch Update. For more information please refer to [_Oracle's April 2017 CPU Advisory_](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA>) and the X-Force database entries referenced below. \n\n \n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nFileNet Content Manager 5.0.0, 5.2.1\n\n## Remediation/Fixes\n\nTo address this vulnerability install one of the fixes listed below to upgrade the IBM Java JRE. \nThe fixes supply the proper Java JRE for the various release levels of the affected products. Depending upon the product and release level, these fixes will upgrade the Java JRE (April 2017) to one of the following: \n\n * IBM JRE, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 45\n * IBM JRE, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 15\n * IBM JRE, Java Technology Edition, Version 8 Service Refresh 4 Fix Pack 5\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.0.0 \n5.2.1| [PJ44768](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44768>)| [5.0.0.10-P8PE-FP010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Process+Engine&release=5.0.0.10&platform=All&function=all>) \\- 8/11/2017 \n[5.2.1.7-P8CSS-FP007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Search+Services&release=5.2.1.7&platform=All&function=all>) \\- 6/26/2017 \n \nIn the above table, the APAR links will provide more information about the fix. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:18:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities may affect IBM\u00ae SDK Java\u2122 Technology Edition Version 6, 7, 8 and IBM\u00ae Runtime Environment Java\u2122 Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T12:18:13", "id": "701FCAB3C800D9AB919F50251A3540E3B87060D18EDCC6A9FF0C96423F3804E0", "href": "https://www.ibm.com/support/pages/node/560357", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:51", "description": "## Summary\n\nzlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)\n\n \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM eDiscovery Manager Version 2.2.2\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRM_| _Remediation_ \n---|---|--- \nIBM eDiscovery Manager| 2.2.2| _Use_ IBM eDiscovery Manager 2.2.2 Interim Fix 11 available at [__https://www.ibm.com/support/fixcentral/__](<https://www-933.ibm.com/support/fixcentral/>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:17:44", "type": "ibm", "title": "Security Bulletin: Open Source zlib Vulnerabilities in IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T12:17:44", "id": "3D812A2E5E1DE6B82054618E3EBB76C91CE2365FE982C3392DE97D4AEC269290", "href": "https://www.ibm.com/support/pages/node/291267", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:41:24", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 and 8 used by Rational Business Developer. These issues were disclosed as part of the IBM Java SDK updates in Apr and Jul 2017.\n\n## Vulnerability Details\n\n \n \n**CVEID:** [_CVE-2017-10243_](<https://vulners.com/cve/CVE-2017-10243>)** \n****DESCRIPTION:**** Microsoft Office software could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of objects in memory. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.**** \n****CVSS Base Score: 7.8** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/125293**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125293>)** for the current score**** \n****CVSS Environmental Score*: Undefined**** \n****CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) ** \n \n**CVEID:**** **[**_CVE-2017-10109_**](<https://vulners.com/cve/CVE-2017-10109>)** \nDESCRIPTION:**** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.**** \n****CVSS Base Score: 5.3**** \n****CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/128870**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128870>)** for the current score**** \n****CVSS Environmental Score*: Undefined**** \n****CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** \n \n**CVEID:**** **[**_CVE-2017-10108_**](<https://vulners.com/cve/CVE-2017-10108>)** \nDESCRIPTION:**** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.**** \n****CVSS Base Score: 5.3**** \n****CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/128869**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128869>)** for the current score**** \n****CVSS Environmental Score*: Undefined**** \n****CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **** ** \n \n**CVEID: **[_CVE-2017-3511_](<https://vulners.com/cve/CVE-2017-3511>) \n**DESCRIPTION: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system.** \n**CVSS Base Score: 7.7** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/124890**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)** \n \n \n**CVEID: **[_CVE-2017-1289_](<https://vulners.com/cve/CVE-2017-1289>) \n**DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.** \n**CVSS Base Score: 8.2** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/125150**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)** \n \n**CVEID: ** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120508**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n \n**CVEID: **[_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120509**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n \n**CVEID: **[_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120510**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n \n**CVEID: **[_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120511**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n\n\n## Affected Products and Versions\n\nRational Business Developer 9.0 - 9.5\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nRational Business Developer| 9.0.x, 9.1.x, 9.5.x| None| [_Rational-rbd-IFix-IBMJDK7SR10FP10_](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm%252FRational%252FRational%2BBusiness%2BDeveloper%26fixids%3DRational-rbd-IFix-IBMJDK7SR10FP10%26source%3DSAR&data=02%7C01%7Challm%40hcl.com%7C73b831481f0d49f9717e08d593c7312d%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636577406106998150&sdata=hOnHO%2Bko21iJH4%2FEC5acEG54jf0rrbuUGd5MiZVJKt8%3D&reserved=0>) \n[_Rational-rbd-IFix-IBMJDK8SR4FP10_](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm%252FRational%252FRational%2BBusiness%2BDeveloper%26fixids%3DRational-rbd-IFix-IBMJDK8SR4FP10%26source%3DSAR&data=02%7C01%7Challm%40hcl.com%7C73b831481f0d49f9717e08d593c7312d%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636577406106998150&sdata=PiT%2FMth3HYj2QnXlzLdw981EQhUX14lr3nWzscIsoLU%3D&reserved=0>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10108", "CVE-2017-10109", "CVE-2017-10243", "CVE-2017-1289", "CVE-2017-3511"], "modified": "2018-08-03T04:23:43", "id": "DB88427B9B30E7BC27929575B10F1309F406508317076AB2CB83FCDD79124D3A", "href": "https://www.ibm.com/support/pages/node/566943", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:39", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that are used by Tivoli Netcool/OMNIbus. These were disclosed as part of the IBM Java SDK updates in January 2017 and April 2017. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5552_](<https://vulners.com/cve/CVE-2016-5552>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120872_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120872>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**C****VEID:** [_CVE-2016-9840_](<https://vulners.com/cve/CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<https://vulners.com/cve/CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<https://vulners.com/cve/CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<https://vulners.com/cve/CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus 7.4.0 \nTivoli Netcool/OMNIbus 8.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus| 7.4.0.14| IV94202| <http://www-01.ibm.com/support/docview.wss?uid=swg24043837> \nOMNIbus | 8.1.0.12| IV94202| <http://www-01.ibm.com/support/docview.wss?uid=swg24043823> \n \n## Workarounds and Mitigations\n\nUpgrading the JRE is the only solution.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:42:17", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5552", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T15:42:17", "id": "24DFABA5B2EC0AE6CB408AFF790D7F41BC7385C13B55076C79F5992C78869191", "href": "https://www.ibm.com/support/pages/node/563921", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:35:11", "description": "The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following subcomponents :\n\n - Multiple vulnerabilities exist in the zlib subcomponent that allow an unauthenticated, remote attacker to trigger denial of service conditions. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)\n\n - An unspecified flaw exists in the XML subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-1289)\n\n - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. This vulnerability does not affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3514)\n\n - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent that allows an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-09-13T00:00:00", "type": "nessus", "title": "AIX Java Advisory : java_apr2017_advisory.asc (April 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-04T00:00:00", "cpe": ["cpe:/o:ibm:aix", "cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "AIX_JAVA_APR2017_ADVISORY.NASL", "href": "https://www.tenable.com/plugins/nessus/103189", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103189);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-9840\",\n \"CVE-2016-9841\",\n \"CVE-2016-9842\",\n \"CVE-2016-9843\",\n \"CVE-2017-1289\",\n \"CVE-2017-3509\",\n \"CVE-2017-3511\",\n \"CVE-2017-3512\",\n \"CVE-2017-3514\",\n \"CVE-2017-3533\",\n \"CVE-2017-3539\",\n \"CVE-2017-3544\"\n );\n script_bugtraq_id(\n 95131,\n 97727,\n 97729,\n 97731,\n 97737,\n 97740,\n 97745,\n 97752,\n 98401\n );\n\n script_name(english:\"AIX Java Advisory : java_apr2017_advisory.asc (April 2017 CPU)\");\n script_summary(english:\"Checks the version of the Java package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Java SDK installed on the remote AIX host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Java SDK installed on the remote AIX host is affected\nby multiple vulnerabilities in the following subcomponents :\n\n - Multiple vulnerabilities exist in the zlib subcomponent\n that allow an unauthenticated, remote attacker to\n trigger denial of service conditions. (CVE-2016-9840,\n CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)\n\n - An unspecified flaw exists in the XML subcomponent that\n allows an unauthenticated, remote attacker to execute\n arbitrary code. (CVE-2017-1289)\n\n - An unspecified flaw exists in the Networking\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that\n allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. This vulnerability does not\n affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. (CVE-2017-3514)\n\n - Multiple unspecified flaws exist in the Networking\n subcomponent that allow an unauthenticated, remote\n attacker to gain update, insert, or delete access to\n unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent\n that allows an unauthenticated, remote attacker to gain\n update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)\");\n # http://aix.software.ibm.com/aix/efixes/security/java_apr2017_advisory.asc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d03f97b\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ce533d8f\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?17d05c61\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d4595696\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9abd5252\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ee03dc1\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f7a066c\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52d4ddf3\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?343fa903\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?623d2c22\");\n script_set_attribute(attribute:\"solution\", value:\n\"Fixes are available by version and can be downloaded from the IBM AIX\nwebsite.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\", \"Host/AIX/oslevelsp\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item_or_exit(\"Host/AIX/version\");\nif ( oslevel != \"AIX-5.3\" && oslevel != \"AIX-6.1\" && oslevel != \"AIX-7.1\" && oslevel != \"AIX-7.2\" )\n{\n oslevel = ereg_replace(string:oslevel, pattern:\"-\", replace:\" \");\n audit(AUDIT_OS_NOT, \"AIX 5.3 / 6.1 / 7.1 / 7.2\", oslevel);\n}\n\noslevelcomplete = chomp(get_kb_item(\"Host/AIX/oslevelsp\"));\nif (empty_or_null(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nflag = 0;\n\n#Java6 6.0.0.645\nif (aix_check_package(release:\"5.3\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"5.3\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\n\n#Java7 7.0.0.605\nif (aix_check_package(release:\"6.1\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\n\n#Java7.1 7.1.0.405\nif (aix_check_package(release:\"6.1\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\n\n#Java8.0 8.0.0.406\nif (aix_check_package(release:\"6.1\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_get()\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Java6 / Java7 / Java8\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:26:08", "description": "This update for java-1_7_1-ibm fixes the following issues: Version update to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1387-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2017-1387-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100378", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1387-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100378);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1387-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_1-ibm fixes the following issues: Version\nupdate to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171387-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0795a9e4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-java-1_7_1-ibm-13123=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-java-1_7_1-ibm-13123=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"i586\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"i586\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-25.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_1-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:26:40", "description": "This update for java-1_7_1-ibm fixes the following issues :\n\n - Version update to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1385-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-1385-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100376", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1385-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100376);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1385-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_1-ibm fixes the following issues :\n\n - Version update to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171385-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b99504ca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-847=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-847=1\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-847=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-847=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-847=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-847=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-devel-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-37.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_1-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:25:07", "description": "This update for java-1_8_0-ibm fixes the following issues: Version update bsc#1038505 :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2017:1386-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-1386-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100377", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1386-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100377);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2017:1386-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_8_0-ibm fixes the following issues: Version\nupdate bsc#1038505 :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171386-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b1e96fe3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-844=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-844=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-844=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-844=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-ibm-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr4.5-29.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:27:18", "description": "This update for java-1_7_0-ibm fixes the following issues: Version update to 7.0-10.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2017:1384-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2017-1384-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100375", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1384-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100375);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2017:1384-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_0-ibm fixes the following issues: Version\nupdate to 7.0-10.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171384-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2813b030\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch\nslessp3-java-1_7_0-ibm-13124=1\n\nSUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch\nsleposp3-java-1_7_0-ibm-13124=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-devel-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-jdbc-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr10.5-64.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:27:18", "description": "An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-11T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2017:1221)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5"], "id": "REDHAT-RHSA-2017-1221.NASL", "href": "https://www.tenable.com/plugins/nessus/100118", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1221. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100118);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"RHSA\", value:\"2017:1221\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2017:1221)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.7.1-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nVulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533,\nCVE-2017-3539, CVE-2017-3544)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1221\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-1289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3544\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1221\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:25:29", "description": "An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-11T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2017:1220)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5"], "id": "REDHAT-RHSA-2017-1220.NASL", "href": "https://www.tenable.com/plugins/nessus/100117", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1220. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100117);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"RHSA\", value:\"2017:1220\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2017:1220)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nVulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533,\nCVE-2017-3539, CVE-2017-3544)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1220\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-1289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3544\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1220\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-plugin-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-plugin-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-plugin-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:26:39", "description": "An update for java-1.6.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 6 to version 6 SR16-FP45.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3509, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-11T00:00:00", "type": "nessus", "title": "RHEL 6 : java-1.6.0-ibm (RHSA-2017:1222)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2017-1222.NASL", "href": "https://www.tenable.com/plugins/nessus/100119", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1222. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100119);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"RHSA\", value:\"2017:1222\");\n\n script_name(english:\"RHEL 6 : java-1.6.0-ibm (RHSA-2017:1222)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.6.0-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 6 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 6 to version 6 SR16-FP45.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nVulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2017-1289, CVE-2017-3509, CVE-2017-3533, CVE-2017-3539,\nCVE-2017-3544)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-1289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3544\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1222\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-src-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-src-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-src-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-ibm / java-1.6.0-ibm-demo / java-1.6.0-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:26:05", "description": "This update for java-1_8_0-openjdk fixes the following issues :\n\n - Upgrade to version jdk8u131 (icedtea 3.4.0) - bsc#1034849\n\n - Security fixes\n\n - S8163520, CVE-2017-3509: Reuse cache entries\n\n - S8163528, CVE-2017-3511: Better library loading\n\n - S8165626, CVE-2017-3512: Improved window framing\n\n - S8167110, CVE-2017-3514: Windows peering issue\n\n - S8168699: Validate special case invocations\n\n - S8169011, CVE-2017-3526: Resizing XML parse trees\n\n - S8170222, CVE-2017-3533: Better transfers of files\n\n - S8171121, CVE-2017-3539: Enhancing jar checking\n\n - S8171533, CVE-2017-3544: Better email transfer\n\n - S8172299: Improve class processing\n\n - New features\n\n - PR1969: Add AArch32 JIT port\n\n - PR3297: Allow Shenandoah to be used on AArch64\n\n - PR3340: jstack.stp should support AArch64\n\n - Import of OpenJDK 8 u131 build 11\n\n - S6474807: (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException\n\n - S6515172, PR3346: Runtime.availableProcessors() ignores Linux taskset command\n\n - S7155957:\n closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.ja va hangs on win 64 bit with jdk8\n\n - S7167293: FtpURLConnection connection leak on FileNotFoundException\n\n - S8035568: [macosx] Cursor management unification\n\n - S8079595: Resizing dialog which is JWindow parent makes JVM crash\n\n - S8130769: The new menu can't be shown on the menubar after clicking the 'Add' button.\n\n - S8146602:\n jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java test fails with NullPointerException\n\n - S8147842: IME Composition Window is displayed at incorrect location\n\n - S8147910, PR3346: Cache initial active_processor_count\n\n - S8150490: Update OS detection code to recognize Windows Server 2016\n\n - S8160951: [TEST_BUG] javax/xml/bind/marshal/8134111/UnmarshalTest.java should be added into :needs_jre group\n\n - S8160958: [TEST_BUG] java/net/SetFactoryPermission/SetFactoryPermission.java should be added into :needs_compact2 group\n\n - S8161147: jvm crashes when -XX:+UseCountedLoopSafepoints is enabled\n\n - S8161195: Regression:\n closed/javax/swing/text/FlowView/LayoutTest.java\n\n - S8161993, PR3346: G1 crashes if active_processor_count changes during startup\n\n - S8162876: [TEST_BUG] sun/net/www/protocol/http/HttpInputStream.java fails intermittently\n\n - S8162916: Test sun/security/krb5/auto/UnboundSSL.java fails\n\n - S8164533:\n sun/security/ssl/SSLSocketImpl/CloseSocket.java failed with 'Error while cleaning up threads after test'\n\n - S8167179: Make XSL generated namespace prefixes local to transformation process\n\n - S8168774: Polymorhic signature method check crashes javac\n\n - S8169465: Deadlock in com.sun.jndi.ldap.pool.Connections\n\n - S8169589: [macosx] Activating a JDialog puts to back another dialog\n\n - S8170307: Stack size option -Xss is ignored\n\n - S8170316: (tz) Support tzdata2016j\n\n - S8170814: Reuse cache entries (part II)\n\n - S8170888, PR3314, RH1284948: [linux] Experimental support for cgroup memory limits in container (ie Docker) environments\n\n - S8171388: Update JNDI Thread contexts\n\n - S8171949: [macosx] AWT_ZoomFrame Automated tests fail with error: The bitwise mask Frame.ICONIFIED is not setwhen the frame is in ICONIFIED state\n\n - S8171952: [macosx] AWT_Modality/Automated/ModalExclusion/NoExclusion/Modele ssDialog test fails as DummyButton on Dialog did not gain focus when clicked.\n\n - S8173030: Temporary backout fix #8035568 from 8u131-b03\n\n - S8173031: Temporary backout fix #8171952 from 8u131-b03\n\n - S8173783, PR3328: IllegalArgumentException:\n jdk.tls.namedGroups\n\n - S8173931: 8u131 L10n resource file update\n\n - S8174844: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle\n\n - S8174985: NTLM authentication doesn't work with IIS if NTLM cache is disabled\n\n - S8176044: (tz) Support tzdata2017a\n\n - Backports\n\n - S6457406, PR3335: javadoc doesn't handle <a href='http://...'> properly in producing index pages\n\n - S8030245, PR3335: Update langtools to use try-with-resources and multi-catch\n\n - S8030253, PR3335: Update langtools to use strings-in-switch\n\n - S8030262, PR3335: Update langtools to use foreach loops\n\n - S8031113, PR3337: TEST_BUG:\n java/nio/channels/AsynchronousChannelGroup/Basic.java fails intermittently\n\n - S8031625, PR3335: javadoc problems referencing inner class constructors\n\n - S8031649, PR3335: Clean up javadoc tests\n\n - S8031670, PR3335: Remove unneeded -source options in javadoc tests\n\n - S8032066, PR3335: Serialized form has broken links to non private inner classes of package private\n\n - S8034174, PR2290: Remove use of JVM_* functions from java.net code\n\n - S8034182, PR2290: Misc. warnings in java.net code\n\n - S8035876, PR2290: AIX build issues after '8034174:\n Remove use of JVM_* functions from java.net code'\n\n - S8038730, PR3335: Clean up the way JavadocTester is invoked, and checks for errors.\n\n - S8040903, PR3335: Clean up use of BUG_ID in javadoc tests\n\n - S8040904, PR3335: Ensure javadoc tests do not overwrite results within tests\n\n - S8040908, PR3335: javadoc test TestDocEncoding should use\n\n -notimestamp\n\n - S8041150, PR3335: Avoid silly use of static methods in JavadocTester\n\n - S8041253, PR3335: Avoid redundant synonyms of NO_TEST\n\n - S8043780, PR3368: Use open(O_CLOEXEC) instead of fcntl(FD_CLOEXEC)\n\n - S8061305, PR3335: Javadoc crashes when method name ends with 'Property'\n\n - S8072452, PR3337: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits\n\n - S8075565, PR3337: Define @intermittent jtreg keyword and mark intermittently failing jdk tests\n\n - S8075670, PR3337: Remove intermittent keyword from some tests\n\n - S8078334, PR3337: Mark regression tests using randomness\n\n - S8078880, PR3337: Mark a few more intermittently failuring security-libs\n\n - S8133318, PR3337: Exclude intermittent failing PKCS11 tests on Solaris SPARC 11.1 and earlier\n\n - S8144539, PR3337: Update PKCS11 tests to run with security manager\n\n - S8144566, PR3352: Custom HostnameVerifier disables SNI extension\n\n - S8153711, PR3313, RH1284948: [REDO] JDWP: Memory Leak:\n GlobalRefs never deleted when processing invokeMethod command\n\n - S8155049, PR3352: New tests from 8144566 fail with 'No expected Server Name Indication'\n\n - S8173941, PR3326: SA does not work if executable is DSO\n\n - S8174164, PR3334, RH1417266:\n SafePointNode::_replaced_nodes breaks with irreducible loops\n\n - S8174729, PR3336, RH1420518: Race Condition in java.lang.reflect.WeakCache\n\n - S8175097, PR3334, RH1417266: [TESTBUG] 8174164 fix missed the test\n\n - Bug fixes\n\n - PR3348: Architectures unsupported by SystemTap tapsets throw a parse error\n\n - PR3378: Perl should be mandatory\n\n - PR3389: javac.in and javah.in should use @PERL@ rather than a hard-coded path\n\n - AArch64 port\n\n - S8168699, PR3372: Validate special case invocations [AArch64 support]\n\n - S8170100, PR3372: AArch64: Crash in C1-compiled code accessing References\n\n - S8172881, PR3372: AArch64: assertion failure: the int pressure is incorrect\n\n - S8173472, PR3372: AArch64: C1 comparisons with null only use 32-bit instructions\n\n - S8177661, PR3372: Correct ad rule output register types from iRegX to iRegXNoSp\n\n - AArch32 port\n\n - PR3380: Zero should not be enabled by default on arm with the AArch32 HotSpot build\n\n - PR3384, S8139303, S8167584: Add support for AArch32 architecture to configure and jdk makefiles\n\n - PR3385: aarch32 does not support -Xshare:dump\n\n - PR3386, S8164652: AArch32 jvm.cfg wrong for C1 build\n\n - PR3387: Installation fails on arm with AArch32 port as INSTALL_ARCH_DIR is arm, not aarch32\n\n - PR3388: Wrong path for jvm.cfg being used on arm with AArch32 build\n\n - Shenandoah\n\n - Fix Shenandoah argument checking on 32bit builds.\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u101-b14-shenandoah-merge-2016-07\n -25\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-02\n -20\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -06\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -09\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -23</a>\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2017-05-31T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2017:1445-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debugsource", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-1445-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100541", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1445-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100541);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3512\", \"CVE-2017-3514\", \"CVE-2017-3526\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2017:1445-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_8_0-openjdk fixes the following issues :\n\n - Upgrade to version jdk8u131 (icedtea 3.4.0) -\n bsc#1034849\n\n - Security fixes\n\n - S8163520, CVE-2017-3509: Reuse cache entries\n\n - S8163528, CVE-2017-3511: Better library loading\n\n - S8165626, CVE-2017-3512: Improved window framing\n\n - S8167110, CVE-2017-3514: Windows peering issue\n\n - S8168699: Validate special case invocations\n\n - S8169011, CVE-2017-3526: Resizing XML parse trees\n\n - S8170222, CVE-2017-3533: Better transfers of files\n\n - S8171121, CVE-2017-3539: Enhancing jar checking\n\n - S8171533, CVE-2017-3544: Better email transfer\n\n - S8172299: Improve class processing\n\n - New features\n\n - PR1969: Add AArch32 JIT port\n\n - PR3297: Allow Shenandoah to be used on AArch64\n\n - PR3340: jstack.stp should support AArch64\n\n - Import of OpenJDK 8 u131 build 11\n\n - S6474807: (smartcardio) CardTerminal.connect() throws\n CardException instead of CardNotPresentException\n\n - S6515172, PR3346: Runtime.availableProcessors() ignores\n Linux taskset command\n\n - S7155957:\n closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.ja\n va hangs on win 64 bit with jdk8\n\n - S7167293: FtpURLConnection connection leak on\n FileNotFoundException\n\n - S8035568: [macosx] Cursor management unification\n\n - S8079595: Resizing dialog which is JWindow parent makes\n JVM crash\n\n - S8130769: The new menu can't be shown on the menubar\n after clicking the 'Add' button.\n\n - S8146602:\n jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java\n test fails with NullPointerException\n\n - S8147842: IME Composition Window is displayed at\n incorrect location\n\n - S8147910, PR3346: Cache initial active_processor_count\n\n - S8150490: Update OS detection code to recognize Windows\n Server 2016\n\n - S8160951: [TEST_BUG]\n javax/xml/bind/marshal/8134111/UnmarshalTest.java should\n be added into :needs_jre group\n\n - S8160958: [TEST_BUG]\n java/net/SetFactoryPermission/SetFactoryPermission.java\n should be added into :needs_compact2 group\n\n - S8161147: jvm crashes when -XX:+UseCountedLoopSafepoints\n is enabled\n\n - S8161195: Regression:\n closed/javax/swing/text/FlowView/LayoutTest.java\n\n - S8161993, PR3346: G1 crashes if active_processor_count\n changes during startup\n\n - S8162876: [TEST_BUG]\n sun/net/www/protocol/http/HttpInputStream.java fails\n intermittently\n\n - S8162916: Test sun/security/krb5/auto/UnboundSSL.java\n fails\n\n - S8164533:\n sun/security/ssl/SSLSocketImpl/CloseSocket.java failed\n with 'Error while cleaning up threads after test'\n\n - S8167179: Make XSL generated namespace prefixes local to\n transformation process\n\n - S8168774: Polymorhic signature method check crashes\n javac\n\n - S8169465: Deadlock in com.sun.jndi.ldap.pool.Connections\n\n - S8169589: [macosx] Activating a JDialog puts to back\n another dialog\n\n - S8170307: Stack size option -Xss is ignored\n\n - S8170316: (tz) Support tzdata2016j\n\n - S8170814: Reuse cache entries (part II)\n\n - S8170888, PR3314, RH1284948: [linux] Experimental\n support for cgroup memory limits in container (ie\n Docker) environments\n\n - S8171388: Update JNDI Thread contexts\n\n - S8171949: [macosx] AWT_ZoomFrame Automated tests fail\n with error: The bitwise mask Frame.ICONIFIED is not\n setwhen the frame is in ICONIFIED state\n\n - S8171952: [macosx]\n AWT_Modality/Automated/ModalExclusion/NoExclusion/Modele\n ssDialog test fails as DummyButton on Dialog did not\n gain focus when clicked.\n\n - S8173030: Temporary backout fix #8035568 from 8u131-b03\n\n - S8173031: Temporary backout fix #8171952 from 8u131-b03\n\n - S8173783, PR3328: IllegalArgumentException:\n jdk.tls.namedGroups\n\n - S8173931: 8u131 L10n resource file update\n\n - S8174844: Incorrect GPL header causes RE script to miss\n swap to commercial header for licensee source bundle\n\n - S8174985: NTLM authentication doesn't work with IIS if\n NTLM cache is disabled\n\n - S8176044: (tz) Support tzdata2017a\n\n - Backports\n\n - S6457406, PR3335: javadoc doesn't handle <a\n href='http://...'> properly in producing index pages\n\n - S8030245, PR3335: Update langtools to use\n try-with-resources and multi-catch\n\n - S8030253, PR3335: Update langtools to use\n strings-in-switch\n\n - S8030262, PR3335: Update langtools to use foreach loops\n\n - S8031113, PR3337: TEST_BUG:\n java/nio/channels/AsynchronousChannelGroup/Basic.java\n fails intermittently\n\n - S8031625, PR3335: javadoc problems referencing inner\n class constructors\n\n - S8031649, PR3335: Clean up javadoc tests\n\n - S8031670, PR3335: Remove unneeded -source options in\n javadoc tests\n\n - S8032066, PR3335: Serialized form has broken links to\n non private inner classes of package private\n\n - S8034174, PR2290: Remove use of JVM_* functions from\n java.net code\n\n - S8034182, PR2290: Misc. warnings in java.net code\n\n - S8035876, PR2290: AIX build issues after '8034174:\n Remove use of JVM_* functions from java.net code'\n\n - S8038730, PR3335: Clean up the way JavadocTester is\n invoked, and checks for errors.\n\n - S8040903, PR3335: Clean up use of BUG_ID in javadoc\n tests\n\n - S8040904, PR3335: Ensure javadoc tests do not overwrite\n results within tests\n\n - S8040908, PR3335: javadoc test TestDocEncoding should\n use\n\n -notimestamp\n\n - S8041150, PR3335: Avoid silly use of static methods in\n JavadocTester\n\n - S8041253, PR3335: Avoid redundant synonyms of NO_TEST\n\n - S8043780, PR3368: Use open(O_CLOEXEC) instead of\n fcntl(FD_CLOEXEC)\n\n - S8061305, PR3335: Javadoc crashes when method name ends\n with 'Property'\n\n - S8072452, PR3337: Support DHE sizes up to 8192-bits and\n DSA sizes up to 3072-bits\n\n - S8075565, PR3337: Define @intermittent jtreg keyword and\n mark intermittently failing jdk tests\n\n - S8075670, PR3337: Remove intermittent keyword from some\n tests\n\n - S8078334, PR3337: Mark regression tests using randomness\n\n - S8078880, PR3337: Mark a few more intermittently\n failuring security-libs\n\n - S8133318, PR3337: Exclude intermittent failing PKCS11\n tests on Solaris SPARC 11.1 and earlier\n\n - S8144539, PR3337: Update PKCS11 tests to run with\n security manager\n\n - S8144566, PR3352: Custom HostnameVerifier disables SNI\n extension\n\n - S8153711, PR3313, RH1284948: [REDO] JDWP: Memory Leak:\n GlobalRefs never deleted when processing invokeMethod\n command\n\n - S8155049, PR3352: New tests from 8144566 fail with 'No\n expected Server Name Indication'\n\n - S8173941, PR3326: SA does not work if executable is DSO\n\n - S8174164, PR3334, RH1417266:\n SafePointNode::_replaced_nodes breaks with irreducible\n loops\n\n - S8174729, PR3336, RH1420518: Race Condition in\n java.lang.reflect.WeakCache\n\n - S8175097, PR3334, RH1417266: [TESTBUG] 8174164 fix\n missed the test\n\n - Bug fixes\n\n - PR3348: Architectures unsupported by SystemTap tapsets\n throw a parse error\n\n - PR3378: Perl should be mandatory\n\n - PR3389: javac.in and javah.in should use @PERL@ rather\n than a hard-coded path\n\n - AArch64 port\n\n - S8168699, PR3372: Validate special case invocations\n [AArch64 support]\n\n - S8170100, PR3372: AArch64: Crash in C1-compiled code\n accessing References\n\n - S8172881, PR3372: AArch64: assertion failure: the int\n pressure is incorrect\n\n - S8173472, PR3372: AArch64: C1 comparisons with null only\n use 32-bit instructions\n\n - S8177661, PR3372: Correct ad rule output register types\n from iRegX to iRegXNoSp\n\n - AArch32 port\n\n - PR3380: Zero should not be enabled by default on arm\n with the AArch32 HotSpot build\n\n - PR3384, S8139303, S8167584: Add support for AArch32\n architecture to configure and jdk makefiles\n\n - PR3385: aarch32 does not support -Xshare:dump\n\n - PR3386, S8164652: AArch32 jvm.cfg wrong for C1 build\n\n - PR3387: Installation fails on arm with AArch32 port as\n INSTALL_ARCH_DIR is arm, not aarch32\n\n - PR3388: Wrong path for jvm.cfg being used on arm with\n AArch32 build\n\n - Shenandoah\n\n - Fix Shenandoah argument checking on 32bit builds.\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u101-b14-shenandoah-merge-2016-07\n -25\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-02\n -20\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -06\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -09\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -23</a>\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://...\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1034849\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3512/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3514/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3526/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171445-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?def94341\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-879=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-879=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-879=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-demo-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-devel-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-1.8.0.131-26.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-26.3\")) flag++;\n\n\nif (flag)\n{\n set_kb_item(name:'www/0/XSS', value:TRUE);\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-openjdk\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:22:53", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 6 Update 151, 7 Update 141, or 8 Update 131. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. This vulnerability does not affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3514)\n\n - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3526)\n\n - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent that allows an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2017-04-21T00:00:00", "type": "nessus", "title": "Oracle Java SE Multiple Vulnerabilities (April 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_APR_2017.NASL", "href": "https://www.tenable.com/plugins/nessus/99588", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99588);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2017-3509\",\n \"CVE-2017-3511\",\n \"CVE-2017-3512\",\n \"CVE-2017-3514\",\n \"CVE-2017-3526\",\n \"CVE-2017-3533\",\n \"CVE-2017-3539\",\n \"CVE-2017-3544\"\n );\n script_bugtraq_id(\n 97727,\n 97729,\n 97731,\n 97733,\n 97737,\n 97740,\n 97745,\n 97752\n );\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (April 2017 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a programming platform that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 6 Update 151, 7 Update 141,\nor 8 Update 131. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists in the Networking\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that\n allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. This vulnerability does not\n affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. (CVE-2017-3514)\n\n - An unspecified flaw exists in the JAXP subcomponent that\n allows an unauthenticated, remote attacker to cause a\n denial of service condition. (CVE-2017-3526)\n\n - Multiple unspecified flaws exist in the Networking\n subcomponent that allow an unauthenticated, remote\n attacker to gain update, insert, or delete access to\n unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent\n that allows an unauthenticated, remote attacker to gain\n update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?02dc6498\");\n # http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ce35fa3a\");\n # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2fbcacca\");\n # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?726f7054\");\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb4db3c7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JDK / JRE 6 Update 151 / 7 Update 141 / 8 Update 131\nor later. If necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 6 Update 95 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3514\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\");\n script_require_keys(\"SMB/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"SMB/Java/JRE/*\");\n\ninfo = \"\";\nvuln = 0;\ninstalled_versions = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"SMB/Java/JRE/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n # Fixes : (JDK|JRE) 8 Update 131 / 7 Update 141 / 6 Update 151\n if (\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-9][0-9]|1[0-4][0-9]|150)([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_([0-9]|[0-9][0-9]|1[0-3][0-9]|140)([^0-9]|$)' ||\n ver =~ '^1\\\\.8\\\\.0_([0-9]|[0-9][0-9]|1[0-2][0-9]|130)([^0-9]|$)'\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_151 / 1.7.0_141 / 1.8.0_131\\n';\n }\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse\n{\n installed_versions = substr(installed_versions, 3);\n if (\" & \" >< installed_versions)\n exit(0, \"The Java \"+installed_versions+\" installations on the remote host are not affected.\");\n else\n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:25:35", "description": "The remote host is affected by the vulnerability described in GLSA-201705-03 (Oracle JDK/JRE: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in in Oracle’s JRE and JDK. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, gain access to information, or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2017-05-08T00:00:00", "type": "nessus", "title": "GLSA-201705-03 : Oracle JDK/JRE: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:oracle-jdk-bin", "p-cpe:/a:gentoo:linux:oracle-jre-bin", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201705-03.NASL", "href": "https://www.tenable.com/plugins/nessus/100017", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201705-03.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100017);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3512\", \"CVE-2017-3514\", \"CVE-2017-3526\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"GLSA\", value:\"201705-03\");\n\n script_name(english:\"GLSA-201705-03 : Oracle JDK/JRE: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-201705-03\n(Oracle JDK/JRE: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in in Oracle’s JRE and\n JDK. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, gain access to information, or cause a Denial\n of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201705-03\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Oracle JRE users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=dev-java/oracle-jre-bin-1.8.0.131'\n All Oracle JDK users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=dev-java/oracle-jdk-bin-1.8.0.131'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:oracle-jdk-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:oracle-jre-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-java/oracle-jdk-bin\", unaffected:make_list(\"ge 1.8.0.131\"), vulnerable:make_list(\"lt 1.8.0.131\"))) flag++;\nif (qpkg_check(package:\"dev-java/oracle-jre-bin\", unaffected:make_list(\"ge 1.8.0.131\"), vulnerable:make_list(\"lt 1.8.0.131\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Oracle JDK/JRE\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:28:09", "description": "This update for java-1_8_0-openjdk fixes the following issues :\n\n - Upgrade to version jdk8u131 (icedtea 3.4.0) - bsc#1034849\n\n - Security fixes\n\n - S8163520, CVE-2017-3509: Reuse cache entries\n\n - S8163528, CVE-2017-3511: Better library loading\n\n - S8165626, CVE-2017-3512: Improved window framing\n\n - S8167110, CVE-2017-3514: Windows peering issue\n\n - S8168699: Validate special case invocations\n\n - S8169011, CVE-2017-3526: Resizing XML parse trees\n\n - S8170222, CVE-2017-3533: Better transfers of files\n\n - S8171121, CVE-2017-3539: Enhancing jar checking\n\n - S8171533, CVE-2017-3544: Better email transfer\n\n - S8172299: Improve class processing\n\n - New features\n\n - PR1969: Add AArch32 JIT port\n\n - PR3297: Allow Shenandoah to be used on AArch64\n\n - PR3340: jstack.stp should support AArch64\n\n - Import of OpenJDK 8 u131 build 11\n\n - S6474807: (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException\n\n - S6515172, PR3346: Runtime.availableProcessors() ignores Linux taskset command\n\n - S7155957:\n closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.ja va hangs on win 64 bit with jdk8\n\n - S7167293: FtpURLConnection connection leak on FileNotFoundException\n\n - S8035568: [macosx] Cursor management unification\n\n - S8079595: Resizing dialog which is JWindow parent makes JVM crash\n\n - S8130769: The new menu can't be shown on the menubar after clicking the 'Add' button.\n\n - S8146602:\n jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java test fails with NullPointerException\n\n - S8147842: IME Composition Window is displayed at incorrect location\n\n - S8147910, PR3346: Cache initial active_processor_count\n\n - S8150490: Update OS detection code to recognize Windows Server 2016\n\n - S8160951: [TEST_BUG] javax/xml/bind/marshal/8134111/UnmarshalTest.java should be added into :needs_jre group\n\n - S8160958: [TEST_BUG] java/net/SetFactoryPermission/SetFactoryPermission.java should be added into :needs_compact2 group\n\n - S8161147: jvm crashes when -XX:+UseCountedLoopSafepoints is enabled\n\n - S8161195: Regression:\n closed/javax/swing/text/FlowView/LayoutTest.java\n\n - S8161993, PR3346: G1 crashes if active_processor_count changes during startup\n\n - S8162876: [TEST_BUG] sun/net/www/protocol/http/HttpInputStream.java fails intermittently\n\n - S8162916: Test sun/security/krb5/auto/UnboundSSL.java fails\n\n - S8164533:\n sun/security/ssl/SSLSocketImpl/CloseSocket.java failed with 'Error while cleaning up threads after test'\n\n - S8167179: Make XSL generated namespace prefixes local to transformation process\n\n - S8168774: Polymorhic signature method check crashes javac\n\n - S8169465: Deadlock in com.sun.jndi.ldap.pool.Connections\n\n - S8169589: [macosx] Activating a JDialog puts to back another dialog\n\n - S8170307: Stack size option -Xss is ignored\n\n - S8170316: (tz) Support tzdata2016j\n\n - S8170814: Reuse cache entries (part II)\n\n - S8170888, PR3314, RH1284948: [linux] Experimental support for cgroup memory limits in container (ie Docker) environments\n\n - S8171388: Update JNDI Thread contexts\n\n - S8171949: [macosx] AWT_ZoomFrame Automated tests fail with error: The bitwise mask Frame.ICONIFIED is not setwhen the frame is in ICONIFIED state\n\n - S8171952: [macosx] AWT_Modality/Automated/ModalExclusion/NoExclusion/Modele ssDialog test fails as DummyButton on Dialog did not gain focus when 	 clicked.\n\n - S8173030: Temporary backout fix #8035568 from 8u131-b03\n\n - S8173031: Temporary backout fix #8171952 from 8u131-b03\n\n - S8173783, PR3328: IllegalArgumentException:\n jdk.tls.namedGroups\n\n - S8173931: 8u131 L10n resource file update\n\n - S8174844: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle\n\n - S8174985: NTLM authentication doesn't work with IIS if NTLM cache is disabled\n\n - S8176044: (tz) Support tzdata2017a\n\n - Backports\n\n - S6457406, PR3335: javadoc doesn't handle <a href='http://...'> properly in producing index pages\n\n - S8030245, PR3335: Update langtools to use try-with-resources and multi-catch\n\n - S8030253, PR3335: Update langtools to use strings-in-switch\n\n - S8030262, PR3335: Update langtools to use foreach loops\n\n - S8031113, PR3337: TEST_BUG:\n java/nio/channels/AsynchronousChannelGroup/Basic.java fails intermittently\n\n - S8031625, PR3335: javadoc problems referencing inner class constructors\n\n - S8031649, PR3335: Clean up javadoc tests\n\n - S8031670, PR3335: Remove unneeded -source options in javadoc tests\n\n - S8032066, PR3335: Serialized form has broken links to non private inner classes of package private\n\n - S8034174, PR2290: Remove use of JVM_* functions from java.net code\n\n - S8034182, PR2290: Misc. warnings in java.net code\n\n - S8035876, PR2290: AIX build issues after '8034174:\n Remove use of JVM_* functions from java.net code'\n\n - S8038730, PR3335: Clean up the way JavadocTester is invoked, and checks for errors.\n\n - S8040903, PR3335: Clean up use of BUG_ID in javadoc tests\n\n - S8040904, PR3335: Ensure javadoc tests do not overwrite results within tests\n\n - S8040908, PR3335: javadoc test TestDocEncoding should use\n\n -notimestamp\n\n - S8041150, PR3335: Avoid silly use of static methods in JavadocTester\n\n - S8041253, PR3335: Avoid redundant synonyms of NO_TEST\n\n - S8043780, PR3368: Use open(O_CLOEXEC) instead of fcntl(FD_CLOEXEC)\n\n - S8061305, PR3335: Javadoc crashes when method name ends with 'Property'\n\n - S8072452, PR3337: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits\n\n - S8075565, PR3337: Define @intermittent jtreg keyword and mark intermittently failing jdk tests\n\n - S8075670, PR3337: Remove intermittent keyword from some tests\n\n - S8078334, PR3337: Mark regression tests using randomness\n\n - S8078880, PR3337: Mark a few more intermittently failuring security-libs\n\n - S8133318, PR3337: Exclude intermittent failing PKCS11 tests on Solaris SPARC 11.1 and earlier\n\n - S8144539, PR3337: Update PKCS11 tests to run with security manager\n\n - S8144566, PR3352: Custom HostnameVerifier disables SNI extension\n\n - S8153711, PR3313, RH1284948: [REDO] JDWP: Memory Leak:\n GlobalRefs never deleted when processing invokeMethod command\n\n - S8155049, PR3352: New tests from 8144566 fail with 'No expected Server Name Indication'\n\n - S8173941, PR3326: SA does not work if executable is DSO\n\n - S8174164, PR3334, RH1417266:\n SafePointNode::_replaced_nodes breaks with irreducible loops\n\n - S8174729, PR3336, RH1420518: Race Condition in java.lang.reflect.WeakCache\n\n - S8175097, PR3334, RH1417266: [TESTBUG] 8174164 fix missed the test\n\n - Bug fixes\n\n - PR3348: Architectures unsupported by SystemTap tapsets throw a parse error\n\n - PR3378: Perl should be mandatory\n\n - PR3389: javac.in and javah.in should use @PERL@ rather than a hardcoded path\n\n - AArch64 port\n\n - S8168699, PR3372: Validate special case invocations [AArch64 support]\n\n - S8170100, PR3372: AArch64: Crash in C1-compiled code accessing References\n\n - S8172881, PR3372: AArch64: assertion failure: the int pressure is incorrect\n\n - S8173472, PR3372: AArch64: C1 comparisons with null only use 32-bit instructions\n\n - S8177661, PR3372: Correct ad rule output register types from iRegX to iRegXNoSp\n\n - AArch32 port\n\n - PR3380: Zero should not be enabled by default on arm with the AArch32 HotSpot build\n\n - PR3384, S8139303, S8167584: Add support for AArch32 architecture to configure and jdk makefiles\n\n - PR3385: aarch32 does not support -Xshare:dump\n\n - PR3386, S8164652: AArch32 jvm.cfg wrong for C1 build\n\n - PR3387: Installation fails on arm with AArch32 port as INSTALL_ARCH_DIR is arm, not aarch32\n\n - PR3388: Wrong path for jvm.cfg being used on arm with AArch32 build\n\n - Shenandoah\n\n - Fix Shenandoah argument checking on 32bit builds.\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u101-b14-shenandoah-merge-2016-07\n -25\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-02\n -20\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -06\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -09\n\n - Import from Shenandoah tag aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -23\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update project.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2017-06-09T00:00:00", "type": "nessus", "title": "openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2017-662)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:java-1_8_0-openjdk", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src", "cpe:/o:novell:opensuse:42.2"], "id": "OPENSUSE-2017-662.NASL", "href": "https://www.tenable.com/plugins/nessus/100707", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-662.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100707);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3512\", \"CVE-2017-3514\", \"CVE-2017-3526\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2017-662)\");\n script_summary(english:\"Check for the openSUSE-2017-662 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_8_0-openjdk fixes the following issues :\n\n - Upgrade to version jdk8u131 (icedtea 3.4.0) -\n bsc#1034849\n\n - Security fixes\n\n - S8163520, CVE-2017-3509: Reuse cache entries\n\n - S8163528, CVE-2017-3511: Better library loading\n\n - S8165626, CVE-2017-3512: Improved window framing\n\n - S8167110, CVE-2017-3514: Windows peering issue\n\n - S8168699: Validate special case invocations\n\n - S8169011, CVE-2017-3526: Resizing XML parse trees\n\n - S8170222, CVE-2017-3533: Better transfers of files\n\n - S8171121, CVE-2017-3539: Enhancing jar checking\n\n - S8171533, CVE-2017-3544: Better email transfer\n\n - S8172299: Improve class processing\n\n - New features\n\n - PR1969: Add AArch32 JIT port\n\n - PR3297: Allow Shenandoah to be used on AArch64\n\n - PR3340: jstack.stp should support AArch64\n\n - Import of OpenJDK 8 u131 build 11\n\n - S6474807: (smartcardio) CardTerminal.connect() throws\n CardException instead of CardNotPresentException\n\n - S6515172, PR3346: Runtime.availableProcessors() ignores\n Linux taskset command\n\n - S7155957:\n closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.ja\n va hangs on win 64 bit with jdk8\n\n - S7167293: FtpURLConnection connection leak on\n FileNotFoundException\n\n - S8035568: [macosx] Cursor management unification\n\n - S8079595: Resizing dialog which is JWindow parent makes\n JVM crash\n\n - S8130769: The new menu can't be shown on the menubar\n after clicking the 'Add' button.\n\n - S8146602:\n jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java\n test fails with NullPointerException\n\n - S8147842: IME Composition Window is displayed at\n incorrect location\n\n - S8147910, PR3346: Cache initial active_processor_count\n\n - S8150490: Update OS detection code to recognize Windows\n Server 2016\n\n - S8160951: [TEST_BUG]\n javax/xml/bind/marshal/8134111/UnmarshalTest.java should\n be added into :needs_jre group\n\n - S8160958: [TEST_BUG]\n java/net/SetFactoryPermission/SetFactoryPermission.java\n should be added into :needs_compact2 group\n\n - S8161147: jvm crashes when -XX:+UseCountedLoopSafepoints\n is enabled\n\n - S8161195: Regression:\n closed/javax/swing/text/FlowView/LayoutTest.java\n\n - S8161993, PR3346: G1 crashes if active_processor_count\n changes during startup\n\n - S8162876: [TEST_BUG]\n sun/net/www/protocol/http/HttpInputStream.java fails\n intermittently\n\n - S8162916: Test sun/security/krb5/auto/UnboundSSL.java\n fails\n\n - S8164533:\n sun/security/ssl/SSLSocketImpl/CloseSocket.java failed\n with 'Error while cleaning up threads after test'\n\n - S8167179: Make XSL generated namespace prefixes local to\n transformation process\n\n - S8168774: Polymorhic signature method check crashes\n javac\n\n - S8169465: Deadlock in com.sun.jndi.ldap.pool.Connections\n\n - S8169589: [macosx] Activating a JDialog puts to back\n another dialog\n\n - S8170307: Stack size option -Xss is ignored\n\n - S8170316: (tz) Support tzdata2016j\n\n - S8170814: Reuse cache entries (part II)\n\n - S8170888, PR3314, RH1284948: [linux] Experimental\n support for cgroup memory limits in container (ie\n Docker) environments\n\n - S8171388: Update JNDI Thread contexts\n\n - S8171949: [macosx] AWT_ZoomFrame Automated tests fail\n with error: The bitwise mask Frame.ICONIFIED is not\n setwhen the frame is in ICONIFIED state\n\n - S8171952: [macosx]\n AWT_Modality/Automated/ModalExclusion/NoExclusion/Modele\n ssDialog test fails as DummyButton on Dialog did not\n gain focus when 	 clicked.\n\n - S8173030: Temporary backout fix #8035568 from 8u131-b03\n\n - S8173031: Temporary backout fix #8171952 from 8u131-b03\n\n - S8173783, PR3328: IllegalArgumentException:\n jdk.tls.namedGroups\n\n - S8173931: 8u131 L10n resource file update\n\n - S8174844: Incorrect GPL header causes RE script to miss\n swap to commercial header for licensee source bundle\n\n - S8174985: NTLM authentication doesn't work with IIS if\n NTLM cache is disabled\n\n - S8176044: (tz) Support tzdata2017a\n\n - Backports\n\n - S6457406, PR3335: javadoc doesn't handle <a\n href='http://...'> properly in producing index pages\n\n - S8030245, PR3335: Update langtools to use\n try-with-resources and multi-catch\n\n - S8030253, PR3335: Update langtools to use\n strings-in-switch\n\n - S8030262, PR3335: Update langtools to use foreach loops\n\n - S8031113, PR3337: TEST_BUG:\n java/nio/channels/AsynchronousChannelGroup/Basic.java\n fails intermittently\n\n - S8031625, PR3335: javadoc problems referencing inner\n class constructors\n\n - S8031649, PR3335: Clean up javadoc tests\n\n - S8031670, PR3335: Remove unneeded -source options in\n javadoc tests\n\n - S8032066, PR3335: Serialized form has broken links to\n non private inner classes of package private\n\n - S8034174, PR2290: Remove use of JVM_* functions from\n java.net code\n\n - S8034182, PR2290: Misc. warnings in java.net code\n\n - S8035876, PR2290: AIX build issues after '8034174:\n Remove use of JVM_* functions from java.net code'\n\n - S8038730, PR3335: Clean up the way JavadocTester is\n invoked, and checks for errors.\n\n - S8040903, PR3335: Clean up use of BUG_ID in javadoc\n tests\n\n - S8040904, PR3335: Ensure javadoc tests do not overwrite\n results within tests\n\n - S8040908, PR3335: javadoc test TestDocEncoding should\n use\n\n -notimestamp\n\n - S8041150, PR3335: Avoid silly use of static methods in\n JavadocTester\n\n - S8041253, PR3335: Avoid redundant synonyms of NO_TEST\n\n - S8043780, PR3368: Use open(O_CLOEXEC) instead of\n fcntl(FD_CLOEXEC)\n\n - S8061305, PR3335: Javadoc crashes when method name ends\n with 'Property'\n\n - S8072452, PR3337: Support DHE sizes up to 8192-bits and\n DSA sizes up to 3072-bits\n\n - S8075565, PR3337: Define @intermittent jtreg keyword and\n mark intermittently failing jdk tests\n\n - S8075670, PR3337: Remove intermittent keyword from some\n tests\n\n - S8078334, PR3337: Mark regression tests using randomness\n\n - S8078880, PR3337: Mark a few more intermittently\n failuring security-libs\n\n - S8133318, PR3337: Exclude intermittent failing PKCS11\n tests on Solaris SPARC 11.1 and earlier\n\n - S8144539, PR3337: Update PKCS11 tests to run with\n security manager\n\n - S8144566, PR3352: Custom HostnameVerifier disables SNI\n extension\n\n - S8153711, PR3313, RH1284948: [REDO] JDWP: Memory Leak:\n GlobalRefs never deleted when processing invokeMethod\n command\n\n - S8155049, PR3352: New tests from 8144566 fail with 'No\n expected Server Name Indication'\n\n - S8173941, PR3326: SA does not work if executable is DSO\n\n - S8174164, PR3334, RH1417266:\n SafePointNode::_replaced_nodes breaks with irreducible\n loops\n\n - S8174729, PR3336, RH1420518: Race Condition in\n java.lang.reflect.WeakCache\n\n - S8175097, PR3334, RH1417266: [TESTBUG] 8174164 fix\n missed the test\n\n - Bug fixes\n\n - PR3348: Architectures unsupported by SystemTap tapsets\n throw a parse error\n\n - PR3378: Perl should be mandatory\n\n - PR3389: javac.in and javah.in should use @PERL@ rather\n than a hardcoded path\n\n - AArch64 port\n\n - S8168699, PR3372: Validate special case invocations\n [AArch64 support]\n\n - S8170100, PR3372: AArch64: Crash in C1-compiled code\n accessing References\n\n - S8172881, PR3372: AArch64: assertion failure: the int\n pressure is incorrect\n\n - S8173472, PR3372: AArch64: C1 comparisons with null only\n use 32-bit instructions\n\n - S8177661, PR3372: Correct ad rule output register types\n from iRegX to iRegXNoSp\n\n - AArch32 port\n\n - PR3380: Zero should not be enabled by default on arm\n with the AArch32 HotSpot build\n\n - PR3384, S8139303, S8167584: Add support for AArch32\n architecture to configure and jdk makefiles\n\n - PR3385: aarch32 does not support -Xshare:dump\n\n - PR3386, S8164652: AArch32 jvm.cfg wrong for C1 build\n\n - PR3387: Installation fails on arm with AArch32 port as\n INSTALL_ARCH_DIR is arm, not aarch32\n\n - PR3388: Wrong path for jvm.cfg being used on arm with\n AArch32 build\n\n - Shenandoah\n\n - Fix Shenandoah argument checking on 32bit builds.\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u101-b14-shenandoah-merge-2016-07\n -25\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-02\n -20\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -06\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -09\n\n - Import from Shenandoah tag\n aarch64-shenandoah-jdk8u121-b14-shenandoah-merge-2017-03\n -23\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://...'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1034849\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1_8_0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-accessibility-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-demo-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-devel-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-headless-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-javadoc-1.8.0.131-10.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-src-1.8.0.131-10.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-openjdk / java-1_8_0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-17T15:24:10", "description": "The version of Oracle Java SE installed on the remote host is prior to 6 Update 151, 7 Update 141, or 8 Update 131, and is therefore affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-3509)\n - An unspecified flaw exists in the JCE subcomponent that allows a local attacker to gain elevated privileges. This vulnerability does not affect Java SE version 6. (CVE-2017-3511)\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. This vulnerability does not affect Java SE version 6. (CVE-2017-3512)\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3514)\n - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3526)\n - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n - An unspecified flaw exists in the Security subcomponent that allows an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3539)", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2017-05-10T00:00:00", "type": "nessus", "title": "Oracle Java SE 6 < Update 151 / 7 < Update 141 / 8 < Update 131 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:oracle:java_se"], "id": "700090.PRM", "href": "https://www.tenable.com/plugins/nnm/700090", "sourceData": "Binary data 700090.prm", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:23:16", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 6 Update 151, 7 Update 141, or 8 Update 131. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. This vulnerability does not affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3514)\n\n - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3526)\n\n - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent that allows an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2017-04-21T00:00:00", "type": "nessus", "title": "Oracle Java SE Multiple Vulnerabilities (April 2017 CPU) (Unix)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_APR_2017_UNIX.NASL", "href": "https://www.tenable.com/plugins/nessus/99589", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99589);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2017-3509\",\n \"CVE-2017-3511\",\n \"CVE-2017-3512\",\n \"CVE-2017-3514\",\n \"CVE-2017-3526\",\n \"CVE-2017-3533\",\n \"CVE-2017-3539\",\n \"CVE-2017-3544\"\n );\n script_bugtraq_id(\n 97727,\n 97729,\n 97731,\n 97733,\n 97737,\n 97740,\n 97745,\n 97752\n );\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (April 2017 CPU) (Unix)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Unix host contains a programming platform that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 6 Update 151, 7 Update 141,\nor 8 Update 131. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists in the Networking\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that\n allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. This vulnerability does not\n affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. (CVE-2017-3514)\n\n - An unspecified flaw exists in the JAXP subcomponent that\n allows an unauthenticated, remote attacker to cause a\n denial of service condition. (CVE-2017-3526)\n\n - Multiple unspecified flaws exist in the Networking\n subcomponent that allow an unauthenticated, remote\n attacker to gain update, insert, or delete access to\n unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent\n that allows an unauthenticated, remote attacker to gain\n update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?02dc6498\");\n # http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ce35fa3a\");\n # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2fbcacca\");\n # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?726f7054\");\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb4db3c7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JDK / JRE 6 Update 151 / 7 Update 141 / 8 Update 131\nor later. If necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 6 Update 95 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3514\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"Host/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"Host/Java/JRE/Unmanaged/*\");\n\ninfo = \"\";\nvuln = 0;\nvuln2 = 0;\ninstalled_versions = \"\";\ngranular = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"Host/Java/JRE/Unmanaged/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n # Fixes : (JDK|JRE) 8 Update 131 / 7 Update 141 / 6 Update 151\n if (\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-9][0-9]|1[0-4][0-9]|150)([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_([0-9]|[0-9][0-9]|1[0-3][0-9]|140)([^0-9]|$)' ||\n ver =~ '^1\\\\.8\\\\.0_([0-9]|[0-9][0-9]|1[0-2][0-9]|130)([^0-9]|$)'\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_151 / 1.7.0_141 / 1.8.0_131\\n';\n }\n else if (ver =~ \"^[\\d\\.]+$\")\n {\n dirs = make_list(get_kb_list(install));\n foreach dir (dirs)\n granular += \"The Oracle Java version \"+ver+\" at \"+dir+\" is not granular enough to make a determination.\"+'\\n';\n }\n else\n {\n dirs = make_list(get_kb_list(install));\n vuln2 += max_index(dirs);\n }\n\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n if (granular) exit(0, granular);\n}\nelse\n{\n if (granular) exit(0, granular);\n\n installed_versions = substr(installed_versions, 3);\n if (vuln2 > 1)\n exit(0, \"The Java \"+installed_versions+\" installations on the remote host are not affected.\");\n else\n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:25:06", "description": "This update for java-1_6_0-ibm fixes the following issues :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-31T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1444-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2183", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_6_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2017-1444-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100540", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1444-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100540);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-2183\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3514\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1444-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_6_0-ibm fixes the following issues :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3514/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171444-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c928ab5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch\nslessp3-java-1_6_0-ibm-13130=1\n\nSUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch\nsleposp3-java-1_6_0-ibm-13130=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_6_0-ibm-plugin-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_6_0-ibm-alsa-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-devel-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-fonts-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-jdbc-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_6_0-ibm-plugin-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_6_0-ibm-alsa-1.6.0_sr16.45-84.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_6_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:46:25", "description": "This update for java-1_6_0-ibm fixes the following issues :\n\n - Version update to 6.0-16.45 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-02T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1389-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2183", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_6_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-1389-1.NASL", "href": "https://www.tenable.com/plugins/nessus/119998", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1389-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119998);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-2183\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3514\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1389-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_6_0-ibm fixes the following issues :\n\n - Version update to 6.0-16.45 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3514/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171389-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b43ae059\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Legacy Software 12:zypper in -t patch\nSUSE-SLE-Module-Legacy-12-2017-843=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_6_0-ibm-plugin-1.6.0_sr16.45-49.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_6_0-ibm-1.6.0_sr16.45-49.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_6_0-ibm-fonts-1.6.0_sr16.45-49.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_6_0-ibm-jdbc-1.6.0_sr16.45-49.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_6_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-10T19:21:21", "description": "The version of IBM Java installed on the remote host is prior to 6.0 < 6.0.16.45 / 6.1 < 6.1.8.45 / 7.0 < 7.0.10.5 / 7.1 < 7.1.4.5 / 8.0 < 8.0.4.5. It is, therefore, affected by multiple vulnerabilities as referenced in the Oracle April 18 2017 CPU advisory.\n\n - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking).\n Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2017-3509)\n\n - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE).\n Supported versions that are affected are Java SE: 7u131 and 8u121; Java SE Embedded: 8u121; JRockit:\n R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxe